The Federal Government has passed a privacy amendment bill through Parliament that gives Australian business a reason to prioritise digital security and protect consumer information.
By passing the Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law, the government has taken an important positive step to improve the privacy of personal information.
The need for mandatory data breach reporting legislation was first identified nearly a decade ago by the Australian Law Reform Commission, and in 2013 the Parliamentary Joint Committee on Intelligence and Security recommended that government move forward with the legislation.
In a positive show of bipartisanship, all sides of politics demonstrated strong support for the bill, which is a good outcome given its long history, and how earlier versions languished without a vote taken.
Way back in 2013, the Australian Communications Consumer Action Network (ACCAN) CEO Teresa Corbin said “consumers have a right to be informed when companies lose or misuse their data and ACCAN does not believe such notifications would be difficult to provide.”
Now that the bill is in place, almost a decade after it was first identified, business cannot say that it did not have sufficient warning.
And yet it is almost inevitable that some companies and organisations will still have to sit down and work out what the bill means in practice.
For business, the bill provides clarity over its obligations, and should ensure that business takes a fresh look at digital security with a focus on protecting personal information.
By doing this, it will likely improve overall digital security practices, which will be a benefit to the organization.
Business with an annual turnover of less than $3 million a year fall outside the legislation. This means Australian business groups need to develop an education campaign to ensure that small to medium enterprises not covered by the legislation understand that they also need to take cyber security seriously.
The penalties for failing to notify individuals of a personal information breach provide for fines up to $360,000 for individuals and $1.8 million for organisations. Whilst the penalties are subject to debate in the future about effectiveness, it is a key outcome that the bill has identified that an eligible data breach is when there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The meaning of ‘serious harm’ is likely to be broad rather than narrow, and would be loss of personal information that might be used to impersonate an individual or to cause financial loss through such things as fraudulent credit card transactions.
For the long suffering CSOs and CTOs that have faced an uphill battle to secure internal funding for digital security, the government is a strategic ally.
This legislation should provide the impetus needed for business to justify an increased budget to support improved security.
But this increase in spending will naturally result in an increase in demand for cyber security experts and in a positive move the government recognized this shortage some time ago and has taken steps to prevent the graduate cyber security shortfall from becoming a major issue.
Education Minister Simon Birmingham and Assistant Minister for Cyber Security Dan Tehan recently announced a new initiative help universities develop the capabilities needed to train the nation’s next generation of cyber specialists.
“This is about attracting more Australians to cyber security jobs by supporting the universities that are on the front line training up the cyber security professionals combatting the threats Australia faces now and into the future,” Senator Birmingham said.
Around the world, the drive to increase the number of cyber security specialists to meet industry demands has accelerated over the past year. In the UK, on 4 February, the Government’s National Cyber Security Centre announced it was recruiting 250 students, and offering annual bursaries of £4,000, to boost the availability of cyber security experts and to boost Britain’s cyber security defences.
Mr Tehan identified the scope of the problem when he stated that “the information security field is expected to see a worldwide deficit of 1.5 million professionals by 2020 while Australian companies predict that 17 per cent of cyber security positions advertised by their company would go unfilled by that same year.”
For the nation and business, the need for improved cyber security is now well established, however, Australian experts have been warning government and business for the past decade that action needed to be taken to improve cyber security.
Now that Government and opposition parties are moving in a positive concerted way to address national cyber security and individuals’ personal information security, we should expect to see improvements in how the nation and business deal with cyber threats.
The bill is one step along the pathway and it is important for business to work with government to identify and understand what the next step should be. Government cannot compel business to protect intellectual property, but there is a national interest to ensure that business takes cyber security seriously.
For Australia to become leader in the global digital economy, it is vital that cyber security be a national focus and this means that there needs to be a reasonable commitment to cyber security-related expenditure.
In future decades, when we look back, we will see the Government’s positive efforts to improve the nation’s cyber security as the starting point for the next era of online activity and hopefully, with business on board, Australia will become one of the world’s leading digital economies.