The Optus data breach, which has affected nearly 10 million Australians, has sparked calls for changes to Australia’s privacy laws, putting limits on what and how long organizations can keep our personal data.
Equally important is strengthening the obligations for organizations to disclose data breaches. Optus made a public announcement about the breach, but was not required by law to do so.
In fact, aside from the aggregated data produced by the Office of the Australian Information Commissioner, the public is not even made aware of the vast majority of data breaches that occur in Australia each year.
Australia has a “Reportable data breachesscheme since February 2018 requiring all organizations to notify affected individuals and the office of the Australian Information Commissioner in the event that a personal information breach could lead to serious harm.
However, no notification is required if the organization takes corrective action to prevent damage. Most importantly, disclosure is never required.
This gives organizations a lot of freedom. They can assess the risks themselves and decide not to disclose a breach at all.
Companies listed on the Australian Securities Exchange (ASX) are also required to disclose data breaches that are expected to have a “material economic impact” on a company’s share price. But it is notoriously difficult to measure material economic impact. These announcements are therefore not a reliable source of information for the public.
Notified data breaches
While the Reportable data breaches regulation is a step in the right direction, it is impossible to know whether the disclosures reflect the size and scope of data breaches.
The most recent Reportable Data Breach Reportcovering the six months from July to December 2021, contains 464 notifications (an increase of 6% compared to the previous period).
Of these, 256 (55%) were attributed to malicious or criminal attacks and 190 (41%) to human error, such as emailing personal information to the wrong recipient, accidentally publishing information, or losing data storage devices or paperwork. Another 18 (4%) were attributed to system errors.
The sectors that reported the most breaches were healthcare (83 reports); finance (56); and legal, accounting and management services (51).
About 70% of all incidents reportedly affected fewer than 100 people. But one event affected at least a million people. Despite the size, the public has not been given any details about these events, or the identities of the organizations responsible.
Regardless of the size or reason, all data breaches have an impact on people and organizations. Despite this, we rarely learn anything other than the most spectacular and most criminal of these events.
Without a disclosure obligation there is insufficient public accountability.
How should minimum disclosure work?
A minimum disclosure framework should contain information about the type of data that has been breached, the sensitivity of the data, the cause and extent of the breach, and the risk mitigation strategies the organization has adopted.
The framework should require both a standardized public announcement when a significant data breach occurs and a mandatory annual public report of data breaches. Reports and announcements must be published on the company’s website (much like an annual report) and filed with the Australian Information Commissioner’s office.
This would ensure public access to a coherent historical record of breach-related events and organizational responses. The disclosures would allow community groups, regulators and interested parties to analyze and act on breaches of our data.
At its simplest, a mandatory disclosure framework encourages annual disclosures that are comparable and publicly available. In any case, it creates opportunities for testing and discussion.