Security Market Segment LS
Tuesday, 13 February 2018 11:00

Data breach law will not change status quo: claim Featured


Australia's data breach law, which takes effect on 22 February, will be among the weakest in the world and is unlikely to impose any pressure on businesses to change the way they protect personal data at the moment, the founder and chief technology officer of a cyber security consulting firm claims.

Phil Kernick of CQR Consulting (below, right) told iTWire that he was not saying the law was pointless. "There is clearly a need for protection of personal data held by businesses," he said. "The problems arise from the fact that the laws don't effectively internalise the costs that result when a data breach occurs."

Breaches of the law, as far as failing to notify those affected by a breach, will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.

Kernick said when a breach that resulted in the loss of personal customer data took place, there was an external cost borne by the victims.

"This cost can range from mild inconvenience for those affected, such as the need for a new credit card, to larger costs like reputational and financial damage," he pointed out.

"For the business itself, however, there is often little more than a short-term reputational loss that occurs. History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations. Even dating site Ashley Madison continues to flourish following a massive data breach back in 2015."

phil kernick cqr consulting bigAs a result, he said, there had been little incentive for businesses to increase their security budgets to ensure proper protection of personal data – the associated costs had not been internalised.

"This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take."

Asked about the costs that a business would suffer due to class action suits following a breach and whether that would not act as an incentive to have better security, Kernick responded: "It's possible, but not probable. We aren¹t as litigious as other countries, and given the Privacy Act already defines the process and penalties, it's hard to see the Federal Court hearing such an action."

He said that under the new law, any business affected by a data breach was responsible for deciding whether "serious harm" was likely to occur to any person whose data had been compromised.

"If the company decides the serious harm bar has not been exceeded, it doesn't have to take any action as all. So, a company could simply decide that having a customer's personal contact details out on the Internet will not result in serious harm to them - and that's the end of it," he said.

"There is nothing to compel them to take any other steps. In fact, if you look at data breaches that have already occurred in Australia, it is hard to find one where the 'serious harm' definition would actually have come into play. Clearly these new rules need to be toughened up.

"If a business does decide that serious harm could occur to individuals who have had their personal data stolen, all that the management has to do is provide a statutory notification to the Privacy Commissioner who may then determine that all that's required is the posting of that declaration on its website."

Asked why the government had set the bar so low that in effect it was a case of the fox watching the hen house, Kernick pointed to a clause in the privacy law: "In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of notification fatigue among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement."

His interpretation of that was, "reading between the lines, the ALRC (Australian Law Reform Commission) seems to believe that there are going to be a lot of data breaches. The serious harm threshold will be set by common law, so expect that there will be cases intended to set exactly this bar."

As to how the law could be strengthened so that it would be more meaningful, Kernick said first, the responsibility for determining whether the serious harm bar had been exceeded should be shifted from the affected company to the Privacy Commissioner.

Then there should be a a provision included that stipulated whenever a data breach occurred, the business was obliged to contact every customer and let them know about the incident, whether it met the definition of serious harm or not. This would mean a cost for the business which would encourage them to strengthen security ahead of time.

"The Australian Government should also look closely at the privacy regulations now in place in other parts of the world," Kernick recommended. "For example, the General Data Protection Regulation rules in the European Union (which come into force in May this year) provide the ability to levy fines equivalent to 4% of a company's annual turnover."

He said if such rules existed in in Australia it would mean a change in the rules of the game.

"These extra steps need to be taken as soon as possible to internalise the costs of data breaches and ensure that businesses in Australia are taking all the steps required to effectively secure the personal data they are storing," Kernick added. "Doing nothing means the burden unfairly remains with affected individuals rather than the businesses that have been careless with their data."

When it was suggested that the law was more of band-aid to cover for the fact that Australia has no data breach law and to pacify trading partners and the public, Kernick took a more moderate tone.

"It¹s a good start. We are slow to the party but at least we are now there," he conceded. "The opportunity exists to strengthen the regulations going forward. "Remember there are still large carve-outs in the Privacy Act. State governments and local councils, which hold vast amounts of personal information, are currently exempt."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments