Personal data of 550,000 Red Cross blood donors was breached
Database dump available in the clear for 2 months
Mandatory Data Breach Bill finally introduced into Parliament
Individuals could be fined $340,000, organisations up to $1.7m
Sources: CSO; Norton Rose
Point of View
The Privacy Amendment (Notifiable Data Breaches) Bill is being put before the current session of parliament. Previous efforts to initiate data breach legislation have met with strong opposition from industry and been set aside. However, the recent breach of personal data belonging to 550,000 Red Cross blood donors underlines the need for more concrete protection in this area. The Red Cross breach is the result of careless data handling, with a backup database inadvertently exposed on a public-facing server by their web provider.
In many cases it is unclear to what extent any sensitive data has fallen into the wrong hands. However, once a breach has been identified and publicised, it can provide the basis for a range of different attacks. Frequently, phishing attacks follow on from a widely publicised data breach. The effects of such attacks have the potential to undermine consumer confidence and magnify the importance of the original breach.
Data compromise has become a global enterprise, with new breaches reported daily. In response, data breach management has become a substantial industry, especially in the US, where organisations specialise in notifying those affected and putting in place the necessary mitigation. English-speaking countries are especially vulnerable to data breaches, as it is simple for attackers to craft phishing mails or make phone calls in such an international language.
In Europe, data protection laws have historically been very strong. The upcoming EU General Data Protection Regulation seeks to strengthen this stance still further. Applicable to organisations doing business within the EU, it permits penalties of up to 20m Euros or 4% of global turnover (whichever is the greatest). It also supports a wider view of what might be considered personal data, such as IP addresses. Even pseudonymised data may fall within its scope, depending on the quality of the pseudonymisation process.
It is preferable for all concerned that data breach notification should remain a last resort. It is expensive, undermines consumer confidence and can lead to further attacks. Effective risk management in support of robust privacy policies must be the preferred option.
Globally, the penalties are becoming increasingly harsh, with the UK ICO recently recommending that company directors should be held personally liable. In Israel, serious data protection contraventions have even resulted in imprisonment.
With the potential for severe penalties, it is important for Australian companies to be prepared for a more exacting approach to data protection.
The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.