Having private data leaked publicly is annoying when all you need do is change a password, but for some it can be far more serious.
With Australia, the latest country to add Data Breach Notification laws, we look at the effectiveness of such measures for people at risk of serious harm.
Having your private data leaked publicly is never pleasant, and replacing compromised passwords is annoying and inconvenient. But spare a thought for people affected by the leaking of highly sensitive data – the sort of information that has an immediate and serious impact on people’s lives.
Here are a few examples to consider:
• A person fleeing a violent relationship has their address details released, putting them at physical harm.
• Information about a medical condition is revealed unexpectedly, such as a pregnancy, cancer or a terminal illness.
• Private information that reveals trade secrets cause economic damage, like KFC’s “Eleven Secret Herbs & Spices”.
• Major identity theft resulting in a persons’ life savings being stolen, causing severe financial and psychological distress.
Sensitive data can include lots of different types of information. It is any data that reveals things like racial or ethnic origins, political or philosophical opinions or affiliations, criminal records, religious beliefs, sexual orientation or practices. It can also include private health data such as your medical records and genetic data, and even biometric data such as fingerprints.
But it’s not just about the data that puts a person at risk, it’s also the location, context, and personal circumstances of individuals and society that all have an impact.
It’s for these reasons that many governments around the world enact laws that aim to protect their citizen’s right to personal data protection – with one such measure being Data Breach Notification laws.
The latest country to introduce Data Breach Notification laws is Australia, with their parliament recently passing laws to come into effect in the next 12 months. Meanwhile such disclosure laws have already existed in most U.S. states since 2002, and the EU is already transitioning into their General Data Protection Regulation to come into full effect from May 2018.
But what do these laws do for us, private citizens?
These laws are designed to solve two problems – to force organisations who suffer data breaches into disclosing when it happens, and by way of wanting to avoid a reputation loss, motivate them to protect data better in the first place.
In practice though, and as the popular saying goes, “your mileage may vary”. Unfortunately, despite these laws being widespread in many countries, data breaches continue to happen with alarming frequency.
For people who may be seriously affected by compromised data leaked publicly, timely notification of a data breach can literally mean the difference between life and death. This further highlights the importance of getting these laws right, and having big business do the right thing to better protect data too.
Looking to the new Australian law as an example of the challenge, they have the concept of an “eligible data breach” defining when companies need to disclose an incident. A breach will only be disclosed if all the following is true:
- The data relating to you was lost or stolen (and it wasn’t recovered); AND
- The data relating to you is “likely to cause serious harm”.
Hmmm, “serious harm”. What exactly is serious harm?
According to the legislation, it can include serious physical, psychological, emotional, economic and financial harm. And it also includes serious harm to your reputation which is good too.
While it’s natural to be upset if your data is leaked online though, these laws have been designed to apply to much more serious consequences that could arise from a breach. Whether that’s enough or not to motivate big Australian businesses to better protect data in the first place, only time will tell.
However, one advantage to the Australian laws appears to be the requirement to notify “any individual affected” regardless of where they reside. Contrast this to some U.S. state-based disclosure laws, such as California for example, that places an obligation only to notify “any California resident” of a data security breach. At this stage, the United States does not have any federal data breach notification laws.
In a much broader reform, the EU’s ambitious regulations set to come into full effect by May 2018 will apply to “all foreign companies processing data of EU residents”. What impact this will have in reality is yet to be seen.
As consumers, we all have a choice to take our business elsewhere if a business isn’t protecting our data properly, except that knowing this before a breach happens is virtually impossible to determine. Hence the need to ensure these businesses will not try to hide breaches when they occur.
Let’s hope that big companies continue to take their obligations seriously and err on the side of caution – disclosing breaches on the basis that it’s the right thing to do – and otherwise doing everything they can to protect data before it’s compromised.
Until next time, stay safe out there.
Michael McKinnon is a cyber security expert at Sense of Security - a leading Australian cyber security consulting practice. With a core focus of achieving cyber resilience for business and government, Michael is a trusted advisor to some of Australia’s best known brands and organisations. He is a frequent media spokesperson and has been a member of the steering group committee for the Australian Government’s Stay Smart Online initiative.