Technology

OPINION
Save
Print
License article

Important email likely to be missed in flood that's about to hit your inbox

"Once more unto the (data) breach, dear customer."

To misquote Oscar Wilde, there is only one thing worse than not being told about a data breach, and that is being told about a data breach 10 times a day from 10 different service providers for the rest of eternity.

From today, Australian business enters a brave new world of data protection. Under the watchful eye of the Office of the Australian Information Commissioner, the Notifiable Data Breaches scheme will require businesses with an annual turnover of more than $3 million to let their customers know if there has been unauthorised access to personal data in a way that could cause harm.

The scheme is an attempt to have Australia catch up with the rest of the world in terms of its corporate data security. Failure to notify a breach attracts fines of up to $360,000 for individuals and $1.8 million for businesses, for serious or repeated infringements.

With that type of penalty, and the likelihood of the office being keen to make an early example of businesses not doing the right thing, it would be safe to assume that companies will err on the side of caution – which means plenty of emails and texts to anxious customers.

The hair-trigger notifications run the risk of not just overwhelming inboxes but of a phenomenon known as “data breach notification fatigue”. That is, consumers will become so inured to notifications of every attempt at a data hack that when the big one comes they will not respond to the warnings about changing passwords and cancelling credit cards.

Advertisement

When you consider that research by Symantec shows that 7 billion online identities have been stolen in the past eight years (the equivalent of one for every person on the planet), the risk of notification fatigue is very real.

The issue is, what constitutes a data breach that should trigger a notification? Is it a gentle tap on the cyber-door by a hacker who then runs away? Or is it a full blown ram raid where the bad guys get away with the goods?

The definition of “data breach” is broad, as is the definition of “serious harm”. Data breach includes unauthorised access to, disclosure of, or loss of customer information held by a company (for example, personal information, credit reporting information or tax file information) and puts individuals affected at “real risk of serious harm”. Harm includes all imaginable forms – physical, psychological, emotional, harm to reputation, economic harm and financial harm.

This will require judgement calls to be made by organisations as to when notification is required to be made, and introduces compliance uncertainty, at least until a number of incidents have occurred and been considered by the Privacy Commissioner.

The notifications need to include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing passwords, for example). The entity must make such a notification when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. There are also quite robust obligations to undertake investigations even when an entity has a mere “suspicion” that there may have been a breach.

In practical terms, this could mean you receive an email every time a business suspects but can’t conclusively determine that there has been a data hack, in a world where cyberattacks are occurring by the thousands every day.

Fears about the costs to business and of data breach notification fatigue were partly responsible for delays in implementing the scheme.

The delays mean Australia is still playing catch-up with other major economies. And the exemption of small businesses from taking part in the scheme could still mean Australia falls afoul of its major trading partners’ requirements. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. If the EU is satisfied, then personal data can flow from the EU to that third country without any further safeguards being necessary. The EU has recognised New Zealand as offering adequate protection, but not Australia. Exempting around 60 per cent of Australia’s businesses from the new scheme is hardly likely to provide much comfort for regulators in Brussels.

Mark Vincent is a principal at Shelston IP Lawyers and an expert in cloud computing.