The Times Australia
The Times World News

.
The Times Real Estate

.

After the Optus data breach, Australia needs mandatory disclosure laws

  • Written by Jane Andrew, Professor, University of Sydney Business School, University of Sydney
After the Optus data breach, Australia needs mandatory disclosure laws

The Optus data breach, which has affected close to 10 million Australians, has sparked calls for changes to Australia’s privacy laws, placing limits on what and for how long organisations can hold our personal data.

Equally important is to strengthen obligations for organisations to publicly disclose data breaches. Optus made a public announcement about its breach, but was not legally required to do so.

Read more: A class action against Optus could easily be Australia's biggest: here's what is involved[1]

In fact, beyond the aggregated data produced by the Office of the Australian Information Commissioner, the public is not made aware of the vast majority of data breaches that occur in Australia every year.

Australia has had a “Notifiable Data Breaches[2]” scheme since February 2018 that requires all organisation to notify affected individuals as well as the Office of the Australian Information Commissioner in the case a breach of personal information likely to result in serious harm.

However, no notification is required if the organisation takes remedial action to prevent harm. Most importantly, public disclosure is never required.

This gives a lot of discretion to organisations. They can make their own assessment about the risks and decide not to disclose a breach at all.

Companies listed on the Australian Securities Exchange (ASX) are also obliged to disclose any data breach expected to have a “material economic impact” on a company’s share price. But it is notoriously difficult to measure material economic impact. So these announcements are not a reliable source of information for the public.

Notified data breaches

While the Notifiable Data Breaches[3] scheme is a step in the right direction, it’s impossible to know if the disclosures made reflect the scale and scope of data breaches.

The most recent Notifiable Data Breaches Report[4], covering the six months from July to December 2021, lists 464 notifications (up 6% from the previous period).

Of these, 256 (55%) were attributed to malicious or criminal attacks, and 190 (41%) to human error, such as emailing personal information to the wrong recipient, publishing information by accident, or losing data storage devices or paperwork[5]. Another 18 (4%) were attributed to system errors.

The sectors that reported the most breaches were the health care service (83 notifications); finance (56); and legal, accounting and management services (51).

About 70% of all incidents reportedly affected fewer than 100 people. But one event affected at least a million people. Despite the scale, the public has not been provided details of these events, or the identities of the organisations responsible.

Regardless of the scale or reason, all data breaches have an impact on people and organisations. Despite this, we rarely learn about anything other than the most spectacular and most criminal of these events.

Without mandatory disclosure, there is insufficient public accountability.

How should minimum disclosure work?

A minimum disclosure framework should include[6] information about the type of data breached, the sensitivity of the data, the cause and size of the breach, and the risk-mitigation strategies the organisation has adopted.

The framework should require both a standardised public announcement when any significant data breach occurs, as well as a mandatory annual public report of data breaches. Reports and announcement should be published on the company’s website (just like an annual report) and filed with the Office of the Australian Information Commissioner.

Read more: Optus says it needed to keep identity data for six years. But did it really?[7]

This would ensure public access to a coherent historical record of breach-related events and organisational responses. The disclosures would allow community groups, regulators and interested parties to analyse breaches of our data and act accordingly.

At its simplest, a mandatory disclosure framework encourages annual disclosures that are comparable and publicly available. At the very least it creates opportunities for scrutiny and discussion.

Read more https://theconversation.com/after-the-optus-data-breach-australia-needs-mandatory-disclosure-laws-192612

The Times Features

Why a Garage Shed is the Perfect Addition to Your Property

The most straightforward and most wholesome extension for any property. A garage shed is a potential solution for you, whether you are looking for an additional space for storage...

Revitalising Homes Through Strategic Architectural Renewal

Residential window replacement is one of the few home improvement interventions that goes far beyond simple aesthetic upgrades. Door frames and windows constitute these vital archi...

The Benefits of Animal-Assisted Speech Therapy For Children

Speech therapy has long been a standard for supporting children’s communication and emotional development. But what happens when you introduce a furry friend into the process? Th...

The Hidden Dangers of Blocked Drains and the Ultimate Solution for a Hassle-Free Home

Drain blockages are a big hassle to every homeowner and business owner alike. Whether it is a sink in the kitchen or bathroom, a clogged toilet, or a foul smell circulating aroun...

Understanding the Dangers of Ignoring a Gas Leak

Gas leaks are silent threats lurking within both homes and workplaces. A gas leak occurs when natural gas or any other gaseous substance escapes from a pipeline or containment. T...

Can You Sell Your House Privately in Queensland? Here’s How

Selling a house privately in Queensland is entirely possible and can be a cost-effective alternative to using a real estate agent. While agents provide valuable expertise, their co...

Times Magazine

CWU Assistive Tech Hub is Changing Lives: Win a Free Rollator Walker This Easter!

🌟 Mobility. Independence. Community. All in One. This Easter, the CWU Assistive Tech Hub is pleased to support the Banyule community by giving away a rollator walker. The giveaway will take place during the Macleod Village Easter Egg Hunt & Ma...

"Eternal Nurture" by Cara Barilla: A Timeless Collection of Wisdom and Healing

Renowned Sydney-born author and educator Cara Barilla has released her latest book, Eternal Nurture, a profound collection of inspirational quotes designed to support mindfulness, emotional healing, and personal growth. With a deep commitment to ...

How AI-Driven SEO Enhancements Can Improve Headless CMS Content Visibility

Whereas SEO (search engine optimization) is critical in the digital landscape for making connections to content, much of it is still done manually keyword research, metatags, final tweaks at publication requiring a human element that takes extensiv...

Crypto Expert John Fenga Reveals How Blockchain is Revolutionising Charity

One of the most persistent challenges in the charity sector is trust. Donors often wonder whether their contributions are being used effectively or if overhead costs consume a significant portion. Traditional fundraising methods can be opaque, with...

Navigating Parenting Arrangements in Australia: A Legal Guide for Parents

Understanding Parenting Arrangements in Australia. Child custody disputes are often one of the most emotionally charged aspects of separation or divorce. Parents naturally want what is best for their children, but the legal process of determining ...

Blocky Adventures: A Minecraft Movie Celebration for Your Wrist

The Minecraft movie is almost here—and it’s time to get excited! With the film set to hit theaters on April 4, 2025, fans have a brand-new reason to celebrate. To honor the upcoming blockbuster, watchfaces.co has released a special Minecraft-inspir...

LayBy Shopping