Australia, like many parts of the world, has been throwing around the idea of mandatory data breach disclosure laws for a while now. The premise is simple: if a company loses their customers’ data, they should let their customers know about it. Easy, right? Of course it’s nuanced in all sorts of ways such as what activity actually constitutes a “data breach” (illegal intrusion, theft of a laptop with data on it, losing a thumb drive with customer info, etc), but the concept of alerting impacted parties to an unforeseen exposure is the basic sentiment of the law.
Earlier this week, a bill on precisely this passed through our senate down here and more than anything else, it shows what a sorry state of affairs we’re in when it comes to data breaches. This may be Aussie legislation, but you’ll see aspects of the thinking reflected across the globe and frankly, I’ve got a few bones to pick with it. Let’s begin here:
“It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities”
So let’s just make sure we understand this correctly: when a company is negligent and loses the data their customers entrusted them with, there’s concern that having to email the customers and let them know might place “administrative burden” on the guilty party therefore they should be saved the hassle of notifying the victims. I’m sure you can see the problem here and it’s not just that the guilty are protected whilst the innocent are exploited (and that’s precisely what happens after a data breach), it’s that the fix is so simple. Emailing customers and explaining what happened is a perfectly reasonable, easily achievable expectation.
The story then goes on to talk about one of the reasons for not necessarily notifying impacted parties being the risk of “breach fatigue” or in other words, people are getting too many notifications about companies losing their data. Now this, I have a real problem with because whilst on the one hand the statement recognises what a big problem data breaches are becoming, on the other hand it says that rather than fixing the root cause and holding companies accountable, it’s better to ignore some of them. In what possible way does this protect consumers, hold negligent organisations accountable or in any way whatsoever improve that state of online security?!
And finally, the legislation goes on to say that in cases where “it’s not certain that a breach has occurred”, the entity has 30 days to investigate. What on earth are these organisations doing over the course of an entire month?! I can tell you precisely what the attackers taking the data are doing – they’re exploiting the stolen credentials as fast as they can. The wording of this leaves the door open to weaselling out of doing the right thing at the expense of the victims.
Data breaches are not fun for either the organisation involved or their impacted customers, but accountability has to rest with the negligent party and protections must be afforded to those who trusted them. For a textbook case on how these incidents should be handled, read through how the Australian Red Cross Blood Service dealt with their incident last year. That’s the level of accountability we should be expecting of all organisations globally and unfortunately, it looks like we’re still a long way off that happening.