Data security in the spotlight

New legislation means you should, in certain instances, be notified if your data is breached. But will it really keep your personal details safe?

By Dr Megan Prictor, Dr Jessica Bell and Associate Professor Mark Taylor, University of Melbourne

In early 2017, the medical records of 31 patients of a Melbourne private hospital were found on a local street.

At the time, the Victorian Health Complaints Commissioner confirmed there was no legal requirement for the patients to be notified, leaving them unaware that highly-sensitive information about their medications, diagnoses, surgeries and mental health conditions had been disclosed so publicly.

Data breaches are increasingly common, with an estimated 10 billion breached globally in the past five years. Picture: Samuel Zeller/Unsplash

This was just one breach among many.

Globally, high-profile breaches have been reported by large internationals like Adobe, Dropbox and Uber. The website breachlevelindex estimates that nearly 10 billion records have been breached since 2013.

In response, the Commonwealth Notifiable Data Breaches scheme, which began in February 2018, has changed the rules here in Australia. The private hospital would now be required not only to let the affected patients know about the breach but also to advise them of any steps they should take.

But just how effective will the new scheme be?

What is the Notifiable Data Breaches scheme?

The Notifiable Data Breaches scheme was introduced into the Commonwealth Privacy Act 1988. The new provisions reflect a trend towards similar schemes around the world, including in most US states and the European Union, but Australia’s attempt is more limited in scope than some.

The scheme applies to Commonwealth government agencies, businesses and non-profit organisations that have an annual turnover in excess of AU$3 million, as well as private sector healthcare providers, credit reporting bodies, credit providers and tax file number recipients. But many organisations are exempt: some small businesses, registered political parties, and state and territory authorities – including public hospitals.

Under the Notifiable Data Breaches scheme, if there is unauthorised access to, disclosure of, or loss of personal information, and this is likely to result in serious harm to a person to whom the information relates, then the organisation that held the information must report the breach to the Australian Information Commissioner as well as notify the person affected.

There are provisions in the Privacy Act to help organisations assess the ‘likelihood of serious harm’ and decide whether they must report the breach. Taking successful remedial action that ameliorates the likelihood of serious harm, like changing access controls on hacked accounts before unauthorised access can occur, in turn, does away with the notification requirement.

So far, so good.

The new law is designed to minimise the harm caused to people when their data is lost or inappropriately accessed, because once they know about it they can act to protect themselves - like cancelling bank cards or changing passwords.

Digital health records are particularly vulnerable, with a recent US survey finding a surprisingly high number of health employees would be wiling to sell patient data. Picture: imgix/Unsplash

In theory, organisations should be motivated to tighten their security measures to avoid adverse publicity through mandatory disclosure of breaches (backed by fines for non-disclosure). This should have the knock-on effect of making it more difficult for hackers to steal personal data.

But will it work?

The legislation only came into force in February, so it’s too early to say what effects it will have. The Office of the Australian Information Commissioner (OAIC) has certainly been doing its best to draw attention to the new provisions.

However, there seem to be some inherent problems.

First, thanks to Australia’s patchwork of Commonwealth and state privacy laws, many organisations that hold a large amount of sensitive personal data are exempt from the new scheme (like state-based entities), while others are unexpectedly caught by it. So the local naturopath has an obligation to report, while major public hospitals do not. And there’s no sign this issue will be addressed.

Major threats to personal data in Australia lie with state health authorities, which fall outside the scheme. The Victorian Auditor-General’s Office, in a 2016-17 report, identified IT security as the most substantial and long-standing problem facing public hospitals, highlighting the risk of “disgruntled employees or hackers circumventing security processes and stealing or altering hospital financial or patient data”.

This risk was underlined by a recent US survey indicating nearly one in five health employees would be willing to sell confidential data for as little as $500.

Second, the 30-day period companies have to investigate a breach could prevent consumers being able to take rapid steps to secure their data. Similar breach notification requirements in Europe require notification to a supervisory authority within 72 hours (where there is a risk to an individual’s rights and freedoms) and notification to the individual directly without “undue delay” (where there is a high risk to individuals).

Third, the hope that the notification scheme will spur organisations to enhance security may be undermined by ambivalence. Despite the OAIC roadshow promoting the scheme, many businesses remain unaware of the new provisions, unconcerned about the risk of data loss and poorly prepared to protect people’s information.

Uber tried to cover up a large breach of its users’ data in 2017. Picture: Wikimedia

Penalties for not reporting breaches, in the context of the outsize budgets of major companies and Commonwealth agencies, are relatively light, with fines of up to AU$2.1 million for corporations. Many may see the cost of compliance with the scheme as higher than the penalty – assuming a penalty is even enforced.

At this stage the OAIC has been given no additional budget to police the new provisions. Large corporations may opt to cover up a breach to protect their reputation. The ride-sharing company Uber did just that in 2017, reportedly paying those who hacked the records of 57 million Uber users US$100,000 to delete the data.

What’s next?

The Notifiable Data Breaches scheme is a starting point, but there’s more to be done.

Joined-up laws across all states and territories that reflect the Commonwealth scheme would give people clarity and certainty about what would happen if their data was hacked, and would motivate organisations at all levels to get their security in order.

Stronger penalties and increased funding to the OAIC to enforce the Notifiable Data Breaches scheme could also be options worth considering.

Nearly everyone is vulnerable to their personal information being exposed publicly; keeping one step ahead of breaches has become an essential task of governments and corporations.

Now, at least, unmasking this problem will allow for more effective monitoring and enforcement of breaches in the future.

Banner image: Samuel Zeller/Unsplash

Legal Affairs

Featured

Republish this article

We believe in the free flow of information. This work is licensed under a Creative Commons Attribution-No Derivatives 3.0 Australia (CC BY-ND 3.0 AU), so you can republish our articles for free, online or in print.

All republished articles must be attributed in the following way and contain links to both the site and original article: “This article was first published on Pursuit. Read the original article.”

<header><h1>Data security in the spotlight</h1><p><a rel="author" href="https://pursuit.unimelb.edu.au/individuals/associate-professor-mark-taylor">Associate Professor Mark Taylor</a>, <a rel="author" href="https://pursuit.unimelb.edu.au/individuals/dr-jessica-bell">Dr Jessica Bell</a> and <a rel="author" href="https://pursuit.unimelb.edu.au/individuals/dr-megan-prictor">Dr Megan Prictor</a></p></header><p>In early 2017, the medical records of 31 patients of a Melbourne private hospital <a href="https://www.theage.com.au/national/victoria/dozens-of-patients-medical-records-found-lying-in-melbourne-street-20170324-gv62op.html">were found on a local street</a>. <br /></p><p>At the time, the <a href="https://hcc.vic.gov.au/">Victorian Health Complaints Commissioner</a> confirmed there was no legal requirement for the patients to be notified, leaving them unaware that highly-sensitive information about their medications, diagnoses, surgeries and mental health conditions had been disclosed so publicly.</p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-2.cloudinary.com/the-university-of-melbourne/image/upload/s--LN2fB8b4--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/4f1/909/4d7/4f19094d7be6a1393aec5df23e1e23b7ff4be00cc8da005be522848babed.jpg" srcset="https://res-2.cloudinary.com/the-university-of-melbourne/image/upload/s--b98maBce--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/4f1/909/4d7/4f19094d7be6a1393aec5df23e1e23b7ff4be00cc8da005be522848babed.jpg 446w, https://res-2.cloudinary.com/the-university-of-melbourne/image/upload/s--ETGb7AeC--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/4f1/909/4d7/4f19094d7be6a1393aec5df23e1e23b7ff4be00cc8da005be522848babed.jpg 669w, https://res-2.cloudinary.com/the-university-of-melbourne/image/upload/s--LN2fB8b4--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/4f1/909/4d7/4f19094d7be6a1393aec5df23e1e23b7ff4be00cc8da005be522848babed.jpg 892w, https://res-2.cloudinary.com/the-university-of-melbourne/image/upload/s--usJqpccw--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/4f1/909/4d7/4f19094d7be6a1393aec5df23e1e23b7ff4be00cc8da005be522848babed.jpg 1784w" /><figcaption>Data breaches are increasingly common, with an estimated 10 billion breached globally in the past five years. Picture: Samuel Zeller/Unsplash</figcaption></figure><p>This was just one breach among many. </p><p>Globally, high-profile breaches have been reported by large internationals like <a href="https://krebsonsecurity.com/2016/11/adobe-fined-1m-in-multistate-suit-over-2013-breach-no-jail-for-spamhaus-attacker/">Adobe</a>, <a href="http://fortune.com/2016/08/31/dropbox-breach-passwords/">Dropbox</a> and <a href="http://www.abc.net.au/news/2017-11-22/uber-data-breach-was-not-disclosed-ceo-says/9179168">Uber</a>. The website <a href="http://breachlevelindex.com/">breachlevelindex</a> estimates that nearly 10 billion records have been breached since 2013.</p><p>In response, the <a href="https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme">Commonwealth Notifiable Data Breaches scheme</a>, which began in February 2018, has changed the rules here in Australia. The private hospital would now be required not only to let the affected patients know about the breach but also to advise them of any steps they should take. </p><p>But just how effective will the new scheme be? </p><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/the-simple-process-of-re-identifying-patients-in-public-health-records"><img alt="" itemprop="image" src="https://res-2.cloudinary.com/the-university-of-melbourne/image/fetch/s--vuDhy6r2--/c_fill,f_jpg,q_70,w_435/https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--2HNS9B6X--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/a2d/fa8/352/a2dfa8352a1f6f38b5d3f5293b790e89edfdfa774d5bcbc4f390f2e08682.jpg" /><h3>The simple process of re-identifying patients in public health records</h3><div class="readmore">Read more</div></a></figure><h2><strong>What is the Notifiable Data Breaches scheme? </strong></h2><p>The Notifiable Data Breaches scheme was introduced into the Commonwealth <em><a href="https://www.legislation.gov.au/Details/C2014C00076">Privacy Act 1988</a></em>. The new provisions reflect a trend towards similar schemes around the world, including in <a href="http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx">most US states</a> and the <a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/">European Union</a>, but Australia’s attempt is more limited in scope than some. </p><p>The scheme <a href="https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme">applies</a> to Commonwealth government agencies, businesses and non-profit organisations that have an annual turnover in excess of AU$3 million, as well as private sector healthcare providers, credit reporting bodies, credit providers and tax file number recipients. But many organisations are exempt: <a href="https://www.oaic.gov.au/media-and-speeches/news/which-small-businesses-have-mandatory-data-breach-reporting-obligations">some small businesses</a>, registered political parties, and state and territory authorities – including <a href="https://www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/health-service-providers/which-health-service-providers-are-covered-by-the-privacy-act">public hospitals</a>. </p><p>Under the Notifiable Data Breaches scheme, if there is unauthorised access to, disclosure of, or loss of personal information, and this is likely to result in serious harm to a person to whom the information relates, then the organisation that held the information must report the breach to the Australian Information Commissioner as well as notify the person affected. </p><p>There are provisions in the <em>Privacy Act </em>to help organisations assess the ‘likelihood of serious harm’ and decide whether they must report the breach<em>. </em>Taking successful <a href="https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches#preventing-serious-harm-with-remedial-action">remedial action</a> that ameliorates the likelihood of serious harm, like changing access controls on hacked accounts before unauthorised access can occur, in turn, does away with the notification requirement. </p><p>So far, so good. </p><p>The new law is designed to minimise the harm caused to people when their data is lost or inappropriately accessed, because once they know about it they can act to protect themselves - like cancelling bank cards or changing passwords. </p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--FiHuvC2T--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/19c/6e9/27f/19c6e927f68248f71e0733b33a0aad806598b59a69f6d759ab6a1ab70e44.jpg" srcset="https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--ozMT3Eo1--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/19c/6e9/27f/19c6e927f68248f71e0733b33a0aad806598b59a69f6d759ab6a1ab70e44.jpg 446w, https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--3I0BSu5E--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/19c/6e9/27f/19c6e927f68248f71e0733b33a0aad806598b59a69f6d759ab6a1ab70e44.jpg 669w, https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--FiHuvC2T--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/19c/6e9/27f/19c6e927f68248f71e0733b33a0aad806598b59a69f6d759ab6a1ab70e44.jpg 892w, https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--TPwr9w9d--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/19c/6e9/27f/19c6e927f68248f71e0733b33a0aad806598b59a69f6d759ab6a1ab70e44.jpg 1784w" /><figcaption>Digital health records are particularly vulnerable, with a recent US survey finding a surprisingly high number of health employees would be wiling to sell patient data. Picture: imgix/Unsplash</figcaption></figure><p>In theory, organisations should be motivated to tighten their security measures to avoid adverse publicity through mandatory disclosure of breaches (backed by fines for non-disclosure). This should have the knock-on effect of making it more difficult for hackers to steal personal data. </p><h2><strong>But will it work? </strong></h2><p>The legislation only came into force in February, so it’s too early to say what effects it will have. The Office of the Australian Information Commissioner (OAIC) has certainly been doing its best to draw attention to the new provisions. </p><p>However, there seem to be some inherent problems.</p><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/data-privacy-and-power"><img alt="" itemprop="image" src="https://res-4.cloudinary.com/the-university-of-melbourne/image/fetch/s--JfLc6IgE--/c_fill,f_jpg,q_70,w_435/https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--a_gu7bVt--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/e51/d54/9dd/e51d549ddadbbcdce7c2c85bef235af529c7bcb49f3d8d39549ea023dce1.jpg" /><h3>Data privacy and power</h3><div class="readmore">Read more</div></a></figure><p>First, thanks to Australia’s patchwork of Commonwealth and state privacy laws, many organisations that hold a large amount of sensitive personal data are exempt from the new scheme (like state-based entities), while others are unexpectedly caught by it. So the local naturopath has an obligation to report, while major public hospitals do not. And there’s no sign this issue will be addressed. </p><p>Major threats to personal data in Australia lie with state health authorities, which fall outside the scheme. The Victorian Auditor-General’s Office, in a <a href="https://www.audit.vic.gov.au/report/results-2016-17-audits-public-hospitals">2016-17 report</a>, identified IT security as the most substantial and long-standing problem facing public hospitals, highlighting the risk of “disgruntled employees or hackers circumventing security processes and stealing or altering hospital financial or patient data”. </p><p>This risk was underlined by a <a href="https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html">recent US survey</a> indicating nearly one in five health employees would be willing to sell confidential data for as little as $500. </p><p>Second, the 30-day period companies have to investigate a breach could prevent consumers being able to take rapid steps to secure their data. Similar <a href="https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjvp73i7eXZAhWIgrwKHaWHDyYQFggoMAA&url=http%3A%2F%2Fec.europa.eu%2Fnewsroom%2Fdocument.cfm%3Fdoc_id%3D47741&usg=AOvVaw0Zb02JvMR84bVF9Jz_ssOo">breach notification requirements in Europe</a> require notification to a supervisory authority within 72 hours (where there is a risk to an individual’s rights and freedoms) and notification to the individual directly without “undue delay” (where there is a <em>high</em> risk to individuals). </p><p>Third, the hope that the notification scheme will spur organisations to enhance security may be undermined by ambivalence. Despite the OAIC roadshow promoting the scheme, <a href="https://www.canon.com.au/businessinsights/business-readiness-index-2018-security">many businesses remain unaware of the new provisions</a>, unconcerned about the risk of data loss and poorly prepared to protect people’s information. </p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--N729kkUJ--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/a03/ba8/ff0/a03ba8ff012e8c0beb8f6862e05cbab3e9ff429a97077c59cb7b8fa70ae3.jpg" srcset="https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--E6pRcp5U--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/a03/ba8/ff0/a03ba8ff012e8c0beb8f6862e05cbab3e9ff429a97077c59cb7b8fa70ae3.jpg 446w, https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--3SKQmXkd--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/a03/ba8/ff0/a03ba8ff012e8c0beb8f6862e05cbab3e9ff429a97077c59cb7b8fa70ae3.jpg 669w, https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--N729kkUJ--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/a03/ba8/ff0/a03ba8ff012e8c0beb8f6862e05cbab3e9ff429a97077c59cb7b8fa70ae3.jpg 892w, https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--SIzi_9nQ--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/a03/ba8/ff0/a03ba8ff012e8c0beb8f6862e05cbab3e9ff429a97077c59cb7b8fa70ae3.jpg 1024w" /><figcaption>Uber tried to cover up a large breach of its users’ data in 2017. Picture: Wikimedia</figcaption></figure><p>Penalties for not reporting breaches, in the context of the outsize budgets of major companies and Commonwealth agencies, are relatively light, with fines of up to AU$2.1 million for corporations. Many may see the cost of compliance with the scheme as higher than the penalty – assuming a penalty is even enforced. </p><p>At this stage the OAIC has been given <a href="https://www.smh.com.au/technology/privacy-commissioner-s-small-budget-to-make-policing-new-data-breach-laws-difficult-experts-say-20180223-p4z1dj.html">no additional budget</a> to police the new provisions. Large corporations may opt to cover up a breach to protect their reputation. The ride-sharing company Uber did just that in 2017, reportedly <a href="http://www.abc.net.au/news/2017-11-22/uber-data-breach-was-not-disclosed-ceo-says/9179168">paying those who hacked the records</a> of 57 million Uber users US$100,000 to delete the data. </p><h2><strong>What’s next? </strong></h2><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/keeping-tabs-on-the-tech-giants"><img alt="" itemprop="image" src="https://res-1.cloudinary.com/the-university-of-melbourne/image/fetch/s--kCw43KcL--/c_fill,f_jpg,q_70,w_435/https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--Fseip7z3--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/6a7/72d/1fe/6a772d1fec705d03871a9328b1dc184894e9b45350bf9f06b8052fe41806.jpg" /><h3>Keeping tabs on the tech giants</h3><div class="readmore">Read more</div></a></figure><p>The Notifiable Data Breaches scheme is a starting point, but there’s more to be done. </p><p>Joined-up laws across all states and territories that reflect the Commonwealth scheme would give people clarity and certainty about what would happen if their data was hacked, and would motivate organisations at all levels to get their security in order. </p><p>Stronger penalties and increased funding to the OAIC to enforce the Notifiable Data Breaches scheme could also be options worth considering. </p><p>Nearly everyone is vulnerable to their personal information being exposed publicly; keeping one step ahead of breaches has become an essential task of governments and corporations. </p><p>Now, at least, unmasking this problem will allow for more effective monitoring and enforcement of breaches in the future. </p><p>Banner image: Samuel Zeller/Unsplash</p><img alt="" height="1" style="display:none" width="1" src="//track.web.unimelb.edu.au/pursuit/pageview.png?location=https%3A%2F%2Fpursuit.unimelb.edu.au%2Farticles%2Fdata-security-in-the-spotlight&title=Data+security+in+the+spotlight&path=%2Farticles%2Fdata-security-in-the-spotlight&campaign_name=Pursuit+republishing&campaign_medium=republish&campaign_content=Data+security+in+the+spotlight" />

Media enquiries

Phone: +61 3 8344 4123
Email: news@media.unimelb.edu.au

The Media Office is staffed from 8am–5pm Monday to Friday.

The University has a television and radio studio to facilitate live and prerecorded broadcast quality interviews with media. You can also Find an expert for commentary.