Sign Up
..... Connect Australia with the world.
Categories

Posted: 2018-02-21 13:04:00

The hair-trigger notifications run the risk of not just overwhelming inboxes but of a phenomenon known as “data breach notification fatigue”. That is, consumers will become so inured to notifications of every attempt at a data hack that when the big one comes they will not respond to the warnings about changing passwords and cancelling credit cards.

When you consider that research by Symantec shows that 7 billion online identities have been stolen in the past eight years (the equivalent of one for every person on the planet), the risk of notification fatigue is very real.

The issue is, what constitutes a data breach that should trigger a notification? Is it a gentle tap on the cyber-door by a hacker who then runs away? Or is it a full blown ram raid where the bad guys get away with the goods?

The definition of “data breach” is broad, as is the definition of “serious harm”. Data breach includes unauthorised access to, disclosure of, or loss of customer information held by a company (for example, personal information, credit reporting information or tax file information) and puts individuals affected at “real risk of serious harm”. Harm includes all imaginable forms – physical, psychological, emotional, harm to reputation, economic harm and financial harm.

This will require judgement calls to be made by organisations as to when notification is required to be made, and introduces compliance uncertainty, at least until a number of incidents have occurred and been considered by the Privacy Commissioner.

The notifications need to include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing passwords, for example). The entity must make such a notification when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. There are also quite robust obligations to undertake investigations even when an entity has a mere “suspicion” that there may have been a breach.

In practical terms, this could mean you receive an email every time a business suspects but can’t conclusively determine that there has been a data hack, in a world where cyberattacks are occurring by the thousands every day.

Fears about the costs to business and of data breach notification fatigue were partly responsible for delays in implementing the scheme.

The delays mean Australia is still playing catch-up with other major economies. And the exemption of small businesses from taking part in the scheme could still mean Australia falls afoul of its major trading partners’ requirements. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. If the EU is satisfied, then personal data can flow from the EU to that third country without any further safeguards being necessary. The EU has recognised New Zealand as offering adequate protection, but not Australia. Exempting around 60 per cent of Australia’s businesses from the new scheme is hardly likely to provide much comfort for regulators in Brussels.

Mark Vincent is a principal at Shelston IP Lawyers and an expert in cloud computing.

View More
  • 0 Comment(s)
Captcha Challenge
Reload Image
Type in the verification code above