Consulting firm Protiviti has predicted troubling times ahead for Australian organizations who, according to the company, may face confusion when trying to comply with the Federal Government’s mandatory data breach notification proposals.
Protiviti argues that unlike in the EU and US, where there are clearly defined notification guidelines set out for companies to follow in the event of significant data breaches, concepts put forward in Australia’s draft Bill are sketchier which could leave organizations having to make judgment calls about whether their notification obligation needs to be triggered or not.
Protiviti point to the fact the Bill necessitates companies to consider whether there are ‘reasonable grounds’ to believe a ‘serious data breach’ has occurred which has led to a ‘real risk of serious harm’ before they are obliged to notify those involved.
However, as Ewen Ferguson, managing director of Protiviti explains, due to the complexities and inconsistencies that often surround cyber breaches organizations may struggle to ascertain whether all of these thresholds have been met or not, leaving them unsure about the course of action they should take.
“After all, there’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large scale malicious theft of credit card details,” said Ferguson.
“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach,” he added.
This confusion may lead companies to ‘err on the side of caution and, whether seeking to escape public scrutiny or simply because they are just uncertain, avoid/delay disclosing the details of a breach. This is something that can have disastrous ramifications for those affected, customer confidence and company reputation.
“Customers rightly expect that if they give companies their personal data and information that company will look after it, it’s a huge breach of trust if they delay telling them [that a data breach has occurred],” David Flower, MD EMEA at Carbon Black told Infosecurity.
If organizations value the confidence of their customers its imperative they “respond fast in the wake of a breach and be open about what has happened – otherwise, those customers could be calling for their jobs,” Flower added.
These are sentiments echoed by Tony Pepper, CEO of Egress Software Technologies, who commented on the “ongoing damaged reputation and reduced revenue” high-profile companies have recently suffered as a result of failing to swiftly deal with and disclose significant cyber-attacks, in particular that suffered by TalkTalk in October last year.
“TalkTalk has reportedly lost 100,000 customers and suffered costs of £60m,” he said.
Protiviti has also raised concerns over the maximum fine of $1.7m the draft Bill proposes for companies that fail to meet the standards of the Privacy Act.
They suggest it is too small and may not influence some medium and large organizations to upgrade their security infrastructures, which are procedures that could outweigh the maximum penalty in terms of cost, and instead run the risk of suffering a breach as the quantifiable penalties are relatively insignificant.
The firm may have a point here – when you consider that in the EU the upcoming General Data Protection Regulation (GDPR) will have the power to impose fines of up to 4% of global turnover (or €20m, whichever is higher) for companies who do not meet its privacy standards, the maximum figure of $1.7m that Australian businesses could be slapped with does seem a little trifling.
This a view shared by Security Researcher Troy Hunt, who told Infosecurity he would prefer to see an approach similar to the GDPR implemented in Australia, with companies facing greater fines than the $1.7m currently being mooted.
“That figure is a fraction of a percent of revenue for larger organizations and it’s simply not going to hurt enough to dissuade them from mishandling data,” he argued. “Combining the facts that $1.7m is a small part of a large organization’s IT budget and that for many organizations data breaches remain a hypothetical eventuality, I worry that this will have little impact on the defensive measures many companies implement.”
However, Hunt was quick to point out the Bill is still only at the draft stage and that he hopes community feedback in the interim will help refine the finished product.
“We need legislation that unambiguously sets out requirements for disclosure not just for the protection of consumers, but to make that self-assessment process on behalf of organizations easier,” he said.