Australia’s data protection and privacy regulator is to receive increased enforcement powers under changes to the country’s data protection laws.
The move, which follows the introduction of a mandatory breach notification regime in 2018, comes as a result of the rising number of data breaches in the country.
On March 25, 2019, the Australian government announced plans to reform the country’s privacy laws, giving the Office of the Australian Information Commissioner (OAIC) new powers and an additional AU$25 million in funding.
The legislation, which is to be drafted in the second half of 2019, will mean higher penalties for companies that breach data protection laws, in addition to making it easier for the OAIC to pursue investigations and respond to breaches.
The amendments to the Privacy Act will result in a big jump in maximum penalties from the current AU$2.1 million toAU$10 million, or 10% of a company's annual domestic turnover, or three times the value of any benefit obtained through the misuse of information, whichever is greater.
As a result of the changes, the OAIC will have new enforcement powers, such as the option of penalties up to AU$63,000 for companies that fail to cooperate with efforts to resolve minor breaches.
The OAIC will also be able to ensure breaches are addressed through third-party reviews, and/or the publication of prominent notices about specific breaches.
The amendments seek to address privacy concerns for social media and online platforms that trade in personal data. The legislation introduces specific rules to protect the personal information of children and vulnerable groups, as well as a new code for social media platforms.
This will enable the regulator to require social media and online platforms to stop using or disclosing an individual's personal information upon request.
Tough data breach requirements were implemented by Australia in February 2018 via the Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced a Notifiable Data Breaches (NDB) regime.
Despite the new regime, it was felt that existing data protection and privacy protections and penalties under the Privacy Act fell short of public expectations, according to a statement from the Attorney-General for Australia.
Rise in Breaches
Tougher data protection and privacy rules come at a time of rising data breaches in Australia. In its first year, some 812 data breaches were notified under the NDB scheme, compared with 114 voluntary data breach notifications made to the OAIC in the previous year.
The recent BDO and AusCERT 2018/19 Cyber Security Survey also found a “rapid rise” in data theft and loss since 2017, including an increase in data breaches via a third party provider or supplier.
Data loss/theft of confidential information incidents rose by 79% in 2018 compared to 2017, while third party breaches rose 74%.
For professional and technical service companies, data breaches via third-party providers increased 300% and data loss/theft of confidential information increased 670%.
However, not all data breaches are reported, according to the report. BDO notes the rising frequency of data breach incidents and the NDB figures suggest that some of the companies that should be notifying under the NDB scheme may not be doing so.
The BDO report did find, however, that companies are significantly more confident in meeting the requirements of the NDB scheme than they were a year ago.
Over half (56%) are “completely confident” in meeting NDB obligations, up from 11.2% in 2017.
Australian companies are also exposed to data protection and privacy laws in other countries. For example, Australian organizations will need to follow the EU’s General Data Protection Regulation (GDPR) if they have operations in the EU, or where they offer goods and services, or monitor the behaviour of individuals in the EU.
However, this message may not be getting through, according to the BDO survey findings.
While 19% of respondents indicated they were required to comply with GDPR, some 39% were unaware of whether they were required to comply at all.
Of those organizations that identified the need to comply with EU rules, less than 40% had implemented controls to meet their GDPR obligations.
Companies will increasingly need to be aware of data protection regulation and data breach requirements in overseas countries.
Last year, California passed a major data privacy law under the California Consumer Privacy Act of 2018 (CCPA), the first legislation in the US to mirror key aspects of the GDPR.
Brazil is also moving towards a GDPR-style regime, while India and China say they are looking to introduce new privacy rules.
Response vs Prevention
According to the BDO survey, tougher data protection laws have led to increased cyber security awareness among Australian business leaders.
However, the survey also identified weaknesses in cyber incident response plans and cyber risk management. While cyber risk management maturity had generally improved, only 6% of companies say they have fully defined their risk posture.
The report says Australian companies are currently too focused on prevention and compliance with the NDB and GDPR, and not enough on response.
For example, the survey found that less than half of organisations had tested their data breach response plans, an exercise that can reveal significant and often overlooked gaps.
It also revealed a reduction in incident response capabilities, such as business continuity plans and disaster recovery plans, by approximately 10% year-on-year and 8% year-on-year correspondingly.
Incident response capabilities are correlated to an organization’s detection capabilities and the potential impact of a data breach or cyber security incident.
The survey found that organizations with a cyber security incident response plan and capability detected and responded to more data breach incidents than those without.
Organizations with planning and preparation were 3.5 times more likely to detect data breaches via third party suppliers and providers compared to those without planning and preparation.
Cyber criminals are changing their tactics, switching the emphasis from ransomware attacks to data breaches, according to the BDO report. The survey found the majority of data breaches are caused by deliberate, malicious attacks.
This aligns to the OAIC’s latest quarterly NDB report, which indicated that 64% of data breaches were caused by malicious or criminal attacks. Both reports found that human error was the main cause of around a third of data breaches.
While the majority of cyber attacks are thought to originate from cyber criminals, the survey respondents also reported an increase in suspected attacks from foreign governments and nation states.
Despite this, respondents felt that activists/hacktivists would be nearly twice as likely to be the cause of a cyber security incident in 2019, compared to the previous year.
The survey also recorded an increase in phishing attacks, but a reduction in denial of service and ransomware attacks in 2018 compared with 2017.
However, organizations may be underestimating the prevalence of cyber security criminals and insiders, and over-estimating the frequency of attacks launched by other actors; a symptom of a limited understanding of the relevant cyber security threat risk landscape, the report says.