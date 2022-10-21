The federal Attorney-General has proposed rapid changes to the Privacy Act including increases in fines, formalising information-sharing processes in the event of a known data breach such as with financial institutions, and changes to data storage and retention requirements.
However, to truly protect against data breaches three key areas need to be addressed.
First, government needs to mandate minimum requirements for implementing secure technology solutions.
Secondly, authorities need to ensure they have clear, consistent and regularly reviewed legislation and regulations and finally, penalties need to be placed on incorrect data storage rather than data breaches.
Many of the proposed changes are based on what to do after a failure.
Currently, the Privacy Act already requires businesses to undertake reasonable steps to protect personal data from misuse, hacks or disclosure.
Critically there is no clear mandate of what "reasonable steps" are needed.
The national regulator for privacy, the Office of the Australian Information Commissioner, provides guidelines with many recommendations to secure personal information.
Many of these are referred to as "zero-trust architecture", such as "identity authentication" or "multi-factor authentication", and do not appear to have been followed in the Optus breach.
Currently the OAIC is investigating whether Optus took reasonable steps to protect the personal information they held, but past investigations show the "reasonable steps" approach is not passing muster.
In 2016 a contractor for the Australian Red Cross left completely open on a server 550,000 people's names, gender, date of birth and contact details - as well as whether they were engaged in high-risk sexual activity.
In 2020, 54,000 NSW driver's licences were found sitting on a completely open cloud server - likely as part of a larger NSW government data breach.
In all three cases, the failures were staggering but still completely failed to meet the requirements of the current Privacy Act.
Data breaches are not isolated to Australia.
IBM recently released some staggering global statistics in the Cost of a Data Breach report.
Amazingly, 83 per cent of organisations had experienced more than one data breach
And second, 79 per cent of organisations in financial services, technology, and communications that experienced a data breach did not have zero-trust architecture.
What we need to do is to ensure that the Privacy Act and other acts that refer to holding personal data, be regularly updated ... Let's not forget the Privacy Act was created in 1988, prior to the internet, smartphones, the cloud and social media.
Implementing many of the improvements such as data encryption, identity authentication of authorised users, password managers and multi-factor authentication are cheap and easy to implement.
Can mandating clear rules work? Yes, just over a decade ago - the major credit and debit card companies released a standard (known as PCI-DSS) requiring companies that held credit card details to follow 12 clear rules around securing the data via encryption and their overall technology systems via zero-trust architecture.
Since then, in data breach after data breach, we see personal information exposed and in the rare times when credit card data is accessed it is almost always encrypted and therefore useless.
Unsurprisingly, businesses will follow a non-legislated standard rather than risk being cut off from getting paid.
The other major issue is that there is a mishmash of different laws and regulations across state and federal jurisdictions that are not clearly aligned with the Privacy Act.
This is not simply a case of poor design but different acts are implemented at different times with different priorities, such as laws after 9/11 to collect data to make detecting terrorists easier. Or laws implemented to detect criminal organisations and activities such as money laundering or fraudulent sale of property.
What we need to do is to ensure that the Privacy Act and other acts that refer to holding personal data, be regularly updated. The broad requirements about securing data should be in the act and the actual day-to-day requirements delegated in regulations, to allow for changes as fast as the world changes. Let's not forget the Privacy Act was created in 1988, prior to the internet, smartphones, the cloud and social media.
Lastly, and potentially the most controversial, organisations should be licensed before they can hold personal data.
You need to be licensed to sell a beer, drive a taxi or sell real estate. Why shouldn't you need any licence to hold customers' personal information?
Smaller businesses could outsource their security and storage, which in many cases they do already but using secure cloud services for email, spreadsheets and point-of-sale technology, these services would need to be formally vetted and licensed.
Larger companies would use approved independent cyber security firms to vet and approve them to be licences.
Making swift knee-jerk changes to the Privacy Act, like increasing fines, without sweeping reform of the other structural flaws in our privacy and cyber security regulatory framework, won't stop the hacks from occurring, they'll merely apply a band-aid to an injury that requires major surgery.
