Australia: The Australian Financial Review – Nick Abrahams - mandatory data breach notification

Mandatory data breach notification changes will have a major impact on companies and individuals, writes partner Nick Abrahams.

This article was originally published by The Australian Financial Review and is reproduced with permission.

Dear customer, Russian hackers have your data

The introduction of data breach notification laws will be a significant impost on companies, but may be the only defence left for people who value their privacy, writes Nick Abrahams.

The federal government has announced that, before the end of the year, we will have mandatory data breach notification. This means companies will be required to notify us whenever the information they hold about us gets hacked or otherwise inappropriately disclosed.

This will be a significant impost on companies in relation to compliance costs and potential adverse reputational impact. For us little people, it may be the only defence we have against the tidal wave of big data analytics ripping away the last vestiges of our privacy (or it may be just more annoying junk mail).

What it certainly means is that cyber risk should be a top three issue for all board risk committees this year.

The concept of mandatory notification has been before our Federal Parliament in one form or another for a few years now. It has been standard order in 47 states in the US for almost a decade and President Barack Obama has just announced a major new measure designed to create a uniform breach notification law across the country. There are notification laws in various parts of Europe and Asia.

It is inevitable that we will have mandatory notification. The key issue will be how to ensure that the regime achieves its public policy objectives being:

• To encourage companies to better protect our data.
• To maintain community confidence when transacting with organisations.
• To protect us when our data goes awry by allowing us to take action to mitigate possible harm from the disclosure.

Achieving these policy-driven outcomes will not be without its challenges.

A study at Carnegie Mellon University compared US states with data breach notification to those that did not have such laws and found that the notification laws were effective in reducing identity theft only in the 12-18 months after their introduction. After that, rates of identity theft returned to similar levels across all states.

Notification fatigue

There is also the notification fatigue issue to deal with. A Ponemon Institute survey of people who had received breach notifications found that 39 per cent of those people thought the notices were junk mail and 48 per cent thought the notice was misleading or confusing.

Opponents of the idea argue that a notification obligation in fact penalises those companies who diligently monitor their networks and data.

This is because diligent companies will become aware of breaches and will then be forced to notify, whereas those with more lax arrangements would not become aware of the breaches and therefore would not have to do any notifications.

The most critical aspect to get right will be the trigger for the notification. It cannot be just any breach of privacy, as this would result in excessive compliance costs and notifications. There ought to be a threshold before notifications need to be issued, such as where there is a real risk of harm to the individual if they were not to be notified.

At present in Australia there is no law that requires companies that have compromised their customers' data, whether by hacking attack or otherwise, to notify the affected customers. The new law will change that. Such public shaming will lead to significant losses to organisations in terms of reputation and, as has been seen in the United States, class action law suits.

In the digital age, confidentiality and trust are the new market differentiators. These new laws will see the appointment of more chief risk, trust and confidentiality officers as well as a heightened focus on cyber security, especially the idea of encrypting data at rest rather than just when in transit.

With more than 100 million data breach notices issued every year in the US, it is questionable how effective the regime is over there. Depending on how our government implements the regime, we may need to expand the notice on the letterbox to "No Junk Mail or Data Breach Notices Please".