Australia’s regulations on data management and privacy laws need to be strengthened to require public agencies and businesses to be more accountable, say experts.
Charles Darwin University (CDU) Associate Professor Mamoun Alazab said the recent privacy breach of Optus systems, that has been reported to have affected more than 40 per cent of Australians, has highlighted the deficiencies in reporting and accountability of cyber-attacks.
Associate Professor Alazab, from the College of Engineering, IT and Environment, said the Australia’s Notifiable Data Breach (NDB) scheme that was introduced in 2018 was not adequate in helping protect individuals who had their personal data stolen.
“The burden of proof of harm is on the individual who had their data stolen. The laws need to be strengthened to make businesses more responsible and accountable,” Associate Professor Alazab said.
“It was only a matter of time before we experienced an attack of this size, and it exposed the problems with responsibility and accountability in the cybersecurity space. Only victims of a data breach are responsible for dealing with the consequences.”
Associate Professor Alazab said cybersecurity experts at CDU had been warning about the lack of transparency for years.
CDU Lecturer in Law Dr Jenny Ng, from the Asia Pacific College of Business and Law, said the NDB scheme makes it mandatory for a regulated entity to inform the Office of the Australian Information Commissioner and the affected individuals of a serious data breach.
“However, it remains difficult for the victims of data breaches to establish a successful cause of action in court mainly due to the lack of a specific cause of action under Australian law that would allow a person to bring an action for a breach of privacy,” Dr Ng said.
Associate Professor Alazab, Dr Ng and Dr Seung Hun Hong from the Korea Institute of Public Administration published a paper, in the Future Generation Computer Systems journal, last year on the regulatory deficiencies of the reporting process on cyber-attacks.
Associate Professor Alazab said there have been numerous cases in corporate Australia of poor data management and breaches reported under the NDB scheme.
“Cyber threats are increasing at a rapid rate, and they are becoming more sophisticated, so without comprehensive monitoring and policing it is making people extremely vulnerable,” Associate Professor Alazab said.
“This will not be the last time that Australia’s corporate world will have to face such a large data breach, and it will be judged by its response to it.”
Optus has reported previously to NDB that in October 2019 it mistakenly published 50,000 private mobile phone numbers in the White Pages.
You can read the full research here.