New Govt. Bill To End Secrecy On Big Data Breaches
Many Australian companies are failing to report ransomware – which locks users out of their computers until they pay a fee – and instead perpetuate the practice by coughing up the cash, according to financial services firm Deloitte.
“I’m amazed at how many Australian businesses pay the money … certainly some super funds, insurers and corporates pay the money because it’s just easier to pay a few hundred dollars – and then they wonder why six weeks later they get hit again,” Deloitte’s James Nunn-Price told reporters yesterday.
Nunn-Smith said many companies only report the issue to police when the amounts involved escalate dramatically.
CERT Australia, the national computer emergency response team and a partner agency in the Canberra-based Australian Cyber Security Centre, says it responded to 11,733 cybercrime incidents in 2014-15.
However failure to report cybercrime and data breaches may soon no longer be an option for the bigger companies and agencies in Australia, with Federal Parliament due to debate a government bill in coming months that – if passed – would make notifications compulsory for companies with an annual turnover of more than $3 million.
The draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 will also apply to any company currently subject to the Privacy Act. Small businesses at this stage are exempt.
The bill, if passed, will require notifications to be sent to all individuals whose personal information may have been exposed in a data breach.
At present, the Privacy Act 1988 requires government agencies and businesses subject to the Act to take “reasonable steps” to secure personal information they hold, but does not mandate notification following a breach.
The Office of the Australian Information Commissioner (OAIC) administers a voluntary data breach notification scheme. It received 110 such notifications in 2014.
Interested parties can examine the new draft Privacy Amendment bill and, if interested, make a submission, preferably by e-mail, by March 4. A 10-page discussion paper is available at the Attorney-General’s Department Web site.