New rules on data breaches take effect

The new rules are intended to force businesses to notify consumers of a data breach.

What are your thoughts on the Notifiable Data Breach Scheme?

Great… But. When a company is breached and your data is stolen and your life becomes a misery as you try to convince the authorities you are who you say you are and you were not in Russia on that particular date… where is the compensation? Look at what happened to Equifax in the US. Equifax (previously known as Veda) hold an enormous amount of personal financial data… they make their money on it (Asia Pacific revenue was over $82 million in the third quarter of 2017)… why would they want anyone to know if our data is stolen… better to risk 2% of your quarterly revenue… a slap on the wrist and that’s it.
These “consumer protections” need much bigger teeth.

Caveat: I do not subscribe to the following but it is the one that is pervasive among government decision makers of libertarian bent, and the others who just like to cosy up to business.

Distilling it into a simplistic concept, if companies or directors are punished so severely they are forced to shed jobs or be wound up or face personal bankruptcy it is not good for anyone. The services they perform could become un-available, quality business people (we have so few and they must be encouraged!) would decline roles where their economic situation could be put into jeopardy, and education is preferable so that they learn their responsibilities and good behaviour and will not re-offend.

That has worked a bit better than the thoughts and prayers in the US, but much of our so-called consumer protection does appear to be a mockery.

I agree in not subscribing to that view.

The fines and punishments for breaches to corporate or consumer law need to be severe enough to cause metaphorical pain to office holders and entities. Otherwise the fines, if they occur, are ‘written off’ into the ‘cost of business’ and nothing changes.

NSW Government taking the lead on data breach butt covering …

“It appears the bill… has been developed without evaluating the adequacy and efficacy of the existing voluntary breach reporting scheme, or whether serious breaches are currently going unreported…”, he said.

Why do I read that as “We need to work out whether honesty, integrity and openness within the NSW Government is working, based only on those cases where the Government has displayed honesty, integrity and openness, because they are the only ones we know about” … yeah maybe a little cynical …

Your comment was not one ounce (sorry metrification to gram) of cynicism it was realism. How do they know the voluntary system works when no one is required to and therefore probably don’t report breaches as they then would have to respond to questions and outrage, why would they subject themselves to the demands and abuse.

And the line “no other state or territory government had developed a mandatory breach reporting scheme” is a cop out of all cop outs. If someone else hasn’t done it then we shouldn’t do it attitude stinks. Then nobody would do anything because no one else had done it and round and round it goes, where it stops nobody knows.

The typical we know best what’s best for you all to know and we will decide if you need to know because we don’t think you need to know anything attitude is galling in it’s temerity but getting to be typical of Governments and Organisations whether business or otherwise.

Just on data breaches… I see today in IT News that “Typeform” data was breached. In August 2017 I completed a survey for Choice Campaigns that went through Typeform.
Does Choice still use Typeform? There are great opensource software options that could do the same and could be hosted locally… has Choice considered this?

Unfortunately, we were affected by the breach. We’ve contacted the 592 people who were exposed and let them know the situation and offered some advice. We’re all very disappointed this has occurred and we’ll be looking into our practices thoroughly to avoid this happening again.

We also apologise to anyone who has been affected.

Fortunately, the data collected in the survey (name, phone number and email address) are often widely available on the internet…but makes it easier for spammers to send out ‘authentic looking emails’ when they are all together in one place.

I often google my email address and it is amazing where it has been captured, like on this site…http://freemailnews.com/.

Fortunately we have two email address…one for private use (friends and family only) and another for public use (anyone else). It is only the public one which has been captured somewhere, possibly through historical data breaches.

Has Choice established that the information was definitely leaked or is it just a possibly/likely?

I got the email, and really, while I appreciate the notification it’s no big deal to me and probably just one of the many leaks of my information in recent months. The only difference here is I’ve been told which is good …

I expect it to happen again - that’s just the age we live in. Do your best, do a review, sure - you never know if you can improve until you look, but it’s like driving ‘safely’ … there’s always complete externals and always a next time … The best protection is to minimise the data collected to only what is needed - as usually seems the case with Choice surveys - so I’m happy …

Interesting and vaguely reassuring if you are not a cynic …

The report shows that only 60.2 percent of the 93 reporting agencies are fully compliant with the top four controls. This is an improvement of only 1.1 percent on the 2015-16 figure of 59.1 precent. In 2014-15, the figure was 48.4 percent.

(All three figures are different to last year’s report as it contained responses from 105 agencies – including those who reported voluntarily – instead of 93.)

However there has been much improvement with the top four requirements for Canberra’s biggest service delivery agencies since an audit of the then-Immigration, Human Services (DHS) and Tax agencies in March 2017 – outside the scope of the most recent PSPF reporting.

The audit found that only DHS was fully compliant with the top four, while the ATO and Immigration failing to property implement application whitelisting or to adequately patch operation systems and applications.

The ATO has since become compliant and the Department of Home Affairs is now nearing full compliance.

Latest compliance report (from the article) makes interesting reading indeed …

https://www.protectivesecurity.gov.au/resources/Documents/PSPF-compliance-report.pdf

The pdf referenced half way down the article is much more telling HERE

hmmm

Proposed changes to the Privacy Act would significantly increase fines for data breaches.

It is inadequate. There are loopholes. Small businesses are exempt! The fines are minuscule compared to the value of the data or the cost of properly protecting it in many cases.

My expectation given this new requirement is that the number of reported breaches should increase by at least a factor of ten if the legislation is working - so let’s see some reporting on it. Certainly the figures from @draughtrider give me some suspicion that the legislation contains way too many business-friendly holes to be effective, if “notifiable data breaches” are holding steady quarter-on-quarter - simply on the basis that attackers are getting ever-better. It is unclear how breaches are assessed as ‘human error’ vs. ‘malicious or criminal attacks’, when the easiest way to gain criminal access to a system is via human error using a targeted phishing attack.

As a side anecdote, my employer recently engaged a company to improve employee awareness of IT and physical security risks. The email advising individual employees about it contained a link to the security company, and I was pointed out to the internal ‘security experts’ that it could very easily have been from a hacked account or otherwise compromised. Red faces, perhaps? (I also notified them of some failings in the training materials, which were for instance happy for me to connect to a coffee shop’s open WiFi network!)

Edit: I see that the first quarter of reportable breaches (PDF) showed only 63 (breaches only became reportable half-way through the quarter). Given that there were still only 262 in the fourth/December 2018 quarter, I would say that we are still only seeing the tip of a very large iceberg.

All quarterly reports are available here.

And further to what I said earlier in this comment, 43% of ‘malicious or criminal’ breaches in the December quarter were phishing attacks - which could just as easily be attributed to human error. It is also interesting to see that government still doesn’t make up one of the top five breached sectors - is this because it has better legislative loopholes to hide behind?

Oh, and I see that public sector education providers are not covered by the law, as they are bound by state and territory privacy laws. There are obviously plenty of other entities that will be able to drive a bus through that loophole. Just… wow!

Perhaps icebergs and data breaches share two things - we only see around 10% but really its amazing we see any at all …