After the Optus data breach, Australia needs mandatory disclosure laws

Image from Shutterstock

Jane Andrew, Professor, University of Sydney Business School, University of Sydney; Max Baker, Senior lecturer, University of Sydney, and Monique Sheehan, Research officer, University of Sydney

The Optus data breach, which has affected close to 10 million Australians, has sparked calls for changes to Australia’s privacy laws, placing limits on what and for how long organisations can hold our personal data.

Equally important is to strengthen obligations for organisations to publicly disclose data breaches. Optus made a public announcement about its breach, but was not legally required to do so.

In fact, beyond the aggregated data produced by the Office of the Australian Information Commissioner, the public is not made aware of the vast majority of data breaches that occur in Australia every year.

Australia has had a “Notifiable Data Breaches” scheme since February 2018 that requires all organisation to notify affected individuals as well as the Office of the Australian Information Commissioner in the case a breach of personal information likely to result in serious harm.

However, no notification is required if the organisation takes remedial action to prevent harm. Most importantly, public disclosure is never required.

This gives a lot of discretion to organisations. They can make their own assessment about the risks and decide not to disclose a breach at all.

Companies listed on the Australian Securities Exchange (ASX) are also obliged to disclose any data breach expected to have a “material economic impact” on a company’s share price. But it is notoriously difficult to measure material economic impact. So these announcements are not a reliable source of information for the public.

Notified data breaches

While the Notifiable Data Breaches scheme is a step in the right direction, it’s impossible to know if the disclosures made reflect the scale and scope of data breaches.

The most recent Notifiable Data Breaches Report, covering the six months from July to December 2021, lists 464 notifications (up 6% from the previous period).

Of these, 256 (55%) were attributed to malicious or criminal attacks, and 190 (41%) to human error, such as emailing personal information to the wrong recipient, publishing information by accident, or losing data storage devices or paperwork. Another 18 (4%) were attributed to system errors.

The sectors that reported the most breaches were the health care service (83 notifications); finance (56); and legal, accounting and management services (51).

About 70% of all incidents reportedly affected fewer than 100 people. But one event affected at least a million people. Despite the scale, the public has not been provided details of these events, or the identities of the organisations responsible.



Regardless of the scale or reason, all data breaches have an impact on people and organisations. Despite this, we rarely learn about anything other than the most spectacular and most criminal of these events.

Without mandatory disclosure, there is insufficient public accountability.

How should minimum disclosure work?

A minimum disclosure framework should include information about the type of data breached, the sensitivity of the data, the cause and size of the breach, and the risk-mitigation strategies the organisation has adopted.

The framework should require both a standardised public announcement when any significant data breach occurs, as well as a mandatory annual public report of data breaches. Reports and announcement should be published on the company’s website (just like an annual report) and filed with the Office of the Australian Information Commissioner.

This would ensure public access to a coherent historical record of breach-related events and organisational responses. The disclosures would allow community groups, regulators and interested parties to analyse breaches of our data and act accordingly.

At its simplest, a mandatory disclosure framework encourages annual disclosures that are comparable and publicly available. At the very least it creates opportunities for scrutiny and discussion.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Authors

  • Jane Andrew joined the University of Sydney in 2010. Prior to that she had held a variety of academic roles at the University of Wollongong. Jane has a particular interest in the relationship between accounting information and public policy and has written extensively on public accountability, carbon accounting, immigration detention, prison privatisation and whistleblowing. The policy relevance of her work means she is often called upon to contribute to discussions of public policy at the State and Federal level. All of Jane’s work has considered the impact of accounting on issues of equity, justice and well-being within the context of neoliberalism. In 2016, Jane released a report titled "Prison Privatisation in Australia: The State of the Nation" providing the first comprehensive review of the costs, performance and accountability of Australian private prisons. Jane is currently the lead investigator on an Australian Research Council Discovery Grant on organisation data breach disclosure practices. Jane was appointed Co-Editor-in-Chief for Critical Perspectives on Accounting in 2018. The journal is the leading international journal dedicated to exploring the link between accounting practices and the many allocative, distributive, social and ecological problems of our era. Jane is also an Associate Editor forAbacus and is a member of the Editorial Board’s for Accounting, Auditing and Accountability, Advances in Public Interest Accounting and Australasian Accounting, Business and Finance Journal. She is also a member of CPA Australia, The Sydney Institute of Criminology and The Imprisonment Observatory. Jane teaches financial accounting to postgraduate students and is an active PhD supervisor

    View all posts
  • Max Baker is a Senior lecturer for the Discipline of Accounting at The University of Sydney Business School. Before his academic career Max worked for a number of large companies such as PricewaterhouseCoopers and Macquarie Bank. As an academic his research has explored corporate accountability, ethics, identity and corporate social responsibility and has been published in a number of top tier academic journals, books and industry reports.

    View all posts