6.2 C
London
Friday, December 2, 2022

Optus data breach shows why Australia needs mandatory disclosure laws

Must read

The teen who was denied the chance to be with her father when he was executed says ‘the justice system failed me’

Khorry Ramey entered the state penitentiary in Bonne Terre, Missouri, Tuesday morning to visit her father, Kevin Johnson, for the last time. Prison guards...

Google testing end-to-end encryption for group chats in Messages app • londonbusinessblog.com

Google said today it is testing end-to-end encryption for RCS-based group chats on its Messages app — RCS stands for Rich Communication Services. ...

Hate speech is on the rise on Twitter under Elon Musk, reports show

Elon Musk claimed last week that "hate speech impressions" on Twitter had dropped by a third since he took over the company.But the overall...

GoStudent uses its warches to take over a large network of traditional tutoring centers in Europe londonbusinessblog.com

GoStudent — the Austrian-based late-stage Tutor marketplace that has raised $686.3 million to date (and achieved a valuation of €3 billion) — the German-based...
Shreya Christinahttps://londonbusinessblog.com
Shreya has been with londonbusinessblog.com for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider londonbusinessblog.com team, Shreya seeks to understand an audience before creating memorable, persuasive copy.

The Optus data breach, which has affected nearly 10 million Australians, has sparked calls for changes to Australia’s privacy laws, putting limits on what and how long organizations can keep our personal data.

Equally important is strengthening the obligations for organizations to disclose data breaches. Optus made a public announcement about the breach, but was not required by law to do so.

In fact, aside from the aggregated data produced by the Office of the Australian Information Commissioner, the public is not even made aware of the vast majority of data breaches that occur in Australia each year.

Australia has a “Reportable data breachesscheme since February 2018 requiring all organizations to notify affected individuals and the office of the Australian Information Commissioner in the event that a personal information breach could lead to serious harm.

However, no notification is required if the organization takes corrective action to prevent damage. Most importantly, disclosure is never required.

This gives organizations a lot of freedom. They can assess the risks themselves and decide not to disclose a breach at all.

Companies listed on the Australian Securities Exchange (ASX) are also required to disclose data breaches that are expected to have a “material economic impact” on a company’s share price. But it is notoriously difficult to measure material economic impact. These announcements are therefore not a reliable source of information for the public.

Notified data breaches

While the Reportable data breaches regulation is a step in the right direction, it is impossible to know whether the disclosures reflect the size and scope of data breaches.

The most recent Reportable Data Breach Reportcovering the six months from July to December 2021, contains 464 notifications (an increase of 6% compared to the previous period).

Of these, 256 (55%) were attributed to malicious or criminal attacks and 190 (41%) to human error, such as emailing personal information to the wrong recipient, accidentally publishing information, or losing data storage devices or paperwork. Another 18 (4%) were attributed to system errors.

The sectors that reported the most breaches were healthcare (83 reports); finance (56); and legal, accounting and management services (51).

About 70% of all incidents reportedly affected fewer than 100 people. But one event affected at least a million people. Despite the size, the public has not been given any details about these events, or the identities of the organizations responsible.



Regardless of the size or reason, all data breaches have an impact on people and organizations. Despite this, we rarely learn anything other than the most spectacular and most criminal of these events.

Without a disclosure obligation there is insufficient public accountability.

How should minimum disclosure work?

A minimum disclosure framework should contain information about the type of data that has been breached, the sensitivity of the data, the cause and extent of the breach, and the risk mitigation strategies the organization has adopted.

The framework should require both a standardized public announcement when a significant data breach occurs and a mandatory annual public report of data breaches. Reports and announcements must be published on the company’s website (much like an annual report) and filed with the Australian Information Commissioner’s office.

This would ensure public access to a coherent historical record of breach-related events and organizational responses. The disclosures would allow community groups, regulators and interested parties to analyze and act on breaches of our data.

At its simplest, a mandatory disclosure framework encourages annual disclosures that are comparable and publicly available. In any case, it creates opportunities for testing and discussion.

This article was republished from The conversation under a Creative Commons license. Read the original article.

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

The teen who was denied the chance to be with her father when he was executed says ‘the justice system failed me’

Khorry Ramey entered the state penitentiary in Bonne Terre, Missouri, Tuesday morning to visit her father, Kevin Johnson, for the last time. Prison guards...

Google testing end-to-end encryption for group chats in Messages app • londonbusinessblog.com

Google said today it is testing end-to-end encryption for RCS-based group chats on its Messages app — RCS stands for Rich Communication Services. ...

Hate speech is on the rise on Twitter under Elon Musk, reports show

Elon Musk claimed last week that "hate speech impressions" on Twitter had dropped by a third since he took over the company.But the overall...

GoStudent uses its warches to take over a large network of traditional tutoring centers in Europe londonbusinessblog.com

GoStudent — the Austrian-based late-stage Tutor marketplace that has raised $686.3 million to date (and achieved a valuation of €3 billion) — the German-based...

5 books that will help you (and your team) fight burnout with a higher purpose

Opinions expressed by londonbusinessblog.com contributors are their own. Burnout doesn't just affect ordinary workers. It is also a major problem among entrepreneurs.According to an...

Contents