Home Security Australian data breach notification: does it really solve everything?

Australian data breach notification: does it really solve everything?

  • 16 March 2017
  • Written by  Alex Tilley and Ray Shaw
  • Published in Security

 Last month, the Australian Government implemented Privacy Amendment (Notifiable Data Breaches) Bill 2016 legislation. It is a huge move, but in the end, does it change anything?

Analysts applauded the move but many are asking if it is the whole answer, especially exempting business with less than $3 million in turnover. They rightly ask, “Will this legislation solve the security problems – will it ensure all companies take precautions and implement top grade security?”

Alex TilleyiTWire asked Alex Tilley, senior security researcher, Counter Threat Unit at SecureWorks (a public company spun out of Dell), to explain the issues in his own words. Alex is a former Australian Federal Police Senior Technical Analyst and prominent commenter on enterprise security matters.

The answer is, unfortunately, not a chance! The IT systems of organisations affected by this legislation are often incredibly complex and even with tremendous support, budget and resourcing, securing them 100% is a pipe dream.

The legislation – Do as I say!

This legislation only provides a call to action – a reason for an increased focus on security.

Even though this legislation won’t solve the cyber security issues facing all Australian businesses, it will have many consequences, including forcing businesses to better protect themselves.

Benefits of the legislation

The greatest benefit ultimately is having better-protected data. Unfortunately, this will not happen overnight. It will take many years and a few more public breaches before most organisations take or finalise action.

Comprehensive, enterprise-level cyber security programs are expensive to implement and difficult to maintain. For some organisations, security is low on the priority list until the fear of going public, due to a large-scale breach, creeps up.

Those costly breaches will ultimately force companies to act, as well as notify their clients. With this new legislation in place, the public will now be alerted efficiently when an organisation they trust with their private information has been compromised.

Impact on businesses in Australia

When a business, having over $3 million in turnover, gets breached, they must go public, alerting the government, as well as all parties that may have been affected.

There is no monetary penalty for a business that has been breached, however, the legislation does put into action a civil consequence of a maximum penalty of $360,000 for individuals and $1,800,000 for corporate bodies. These fines are imposed on serious or repeat offenders.

Organisations that are breached could also take a substantial hit to their reputation. Customers will now be informed and may decide to take their business elsewhere or even look for compensation from damages suffered. This impact on Australian businesses can be lasting and financially hard.

There is, however, a silver lining. Businesses who are worried they must report a breach may spend a little more thought on securing the data they hold, and this can only be good for businesses and consumers alike. Luckily, there are also certain steps organisations can take towards a more strategic cyber protection plan.

The importance of protection

Effective security is extremely difficult and it’s often hard to know where to begin.

Start with secure coding, perform real-world tests of systems to try and find vulnerabilities (patching them straight away) and making sure the design and monitoring of the systems are working effectively.

Keep in mind that often security initiatives like application whitelisting are put in the “Too Hard Basket”. In 2017 there is no more “Too Hard Basket”. Cyber protection is an essential part of running a successful business, shortcuts cannot be accepted.

The Way Forward

Cyber security issues cannot be solved overnight just because of the new legislation. At best, we can expect a change in how businesses conduct themselves and how the public is protected.

Larger organisations cannot afford to ignore the continued publicised breaches and real-world security advice from experienced professionals and expect the public to be forgiving when they get breached through a web server that hadn’t been patched in two years. Security must be a forefront topic and mature discussions must be held to allow for security measures to be put in place so that one day we can prevent breaches.

Tilley has written a three-part blog post covering this legislation in more detail.

Tilley eligible breach notification

 SecureWorks has written a white paper titled “4 Key Preparation Strategies for Eligible Breach Notification Laws” and it is a good place to start.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips