Security Market Segment LS
Friday, 16 February 2018 09:39

Data breach law will change status quo, says practitioner Featured


A Melbourne-based lawyer and business adviser says the new data breach notification law will not be the only one working to potentially internalise the costs of a breach.

"There are also obligations arising under contract, duty of care, trade secret and confidentiality, and potentially the Australian Consumer Law as well," Joel Vernon told iTWire in response to the views expressed recently in these columns by cyber security consultant Phil Kernick.

The Australian data breach law takes effect on 22 February. Kernick had expressed the view that the law would be among the weakest in the world and that it was unlikely to impose any pressure on businesses to change the way they protect personal data at the moment.

Vernon's view differed. He said the obligations listed above, when coupled with the potential for sufficiently-motivated and resourced plaintiffs to commence group or class action proceedings, would make cost internalisation fairly apparent.

"APP (Australian Privacy Principle) entities are also not necessarily out of the woods if they either reach a 'no harm' assessment or provide the notification. There may still be grounds for a complaint or a Commissioner’s own-motion investigation, in addition to other remedies under these other legal obligations."

He noted that fhe fines (or, rather, civil penalties) were up to $420,000 and $2.1 million for non-body-corporates and body corporates respectively. "Failure to comply with the notification regime is not the only potential liability under the Privacy Act – others are also in play," he added.

Vernon, who is a lawyer by trade but now more of a business adviser, has a background in IT as well, having worked for both Primus and Telstra.

He said it was not the case that only organisations with $3 million in revenue were covered by the law, with the relevant calculation being annual turnover.

"There are a range of other entities which are within the jurisdiction of the Privacy Act even if they do not reach this monetary threshold (such as health service providers, credit reporting bodies, and contracted service providers under a Commonwealth contract (even if not privy to the contract))," he pointed out.

"In other words, the obligations are of far wider significance and cover a range of otherwise quite small businesses which need to think very carefully about their operations and processes and whether they are complying with the Privacy Act now and additionally from 22 February."

Vernon said the solution proposed by Kernick — requiring all entities to simply report all breaches and shift the harm assessment to the Privacy Commissioner — did not change the cost dynamic.

"There is a cost either way. Entities bear the cost of notification (which may be marginal) or they bear the cost of the harm assessment," he said.

"Shifting the harm assessment from the entity to the Commissioner, in fact, externalises the cost from the entity and shifts it back to the community. Such an approach does even less for cost internalisation, if that is the policy goal."

He said he agreed with the views expressed in these columns by Helaine Leggat, director of Melbourne firm Information Legal, a few days ago.

"The Privacy Act is legislation informed by and motivated by Australia being a signatory to the International Covenant on Civil and Political Rights. In an ideal world, privacy (and security) shouldn't depend on legislation but should be an inherent part of the social contract. We collectively undervalue our privacy (and our personal information) and willingly trade that to others who value it more in exchange for convenience or features.

"The Privacy Act is an attempt to narrow this value relativity. There is plenty to be done in this space, even outside the notification regime, and I fully agree with Helaine when she says 'smaller businesses do not know what is required, and if they do, they have little idea of what to do. Even big organisations are struggling'. I can attest to that from my own experience."

Vernon said that both business and government should be grateful for the chance to demonstrate a commitment to privacy and security by, for example, having breach response plans in place.

He added: "This is not to say this is the only thing they need to do to ensure compliance with the Privacy Act – there are many front-end obligations they need to be aware of, and for organisations outside the scope of the Privacy Act, there will be other arrangements and obligations that also need to be considered."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments