Ok, so the Office of the Australian Information Commissioner has put out the latest Notifiable Data Breaches report, and they are very cross.
Here’s the short version
- The OAIC is very concerned about the privacy of Australians. Like super concerned. They take it very seriously.
- They think companies should care about privacy too and implement best practice systems (If they want to).
- Lots of breach reports have been filed. See, the NDB scheme is a success.
- The OAIC can fine companies if they get extra, super cross. They won’t, but they could if they wanted to!
Breaches
A stronger approach
The OAIC has said it is going to take a stronger approach to compliance. Which isn’t saying a lot, as previously they’ve done fuck all.
As reported at length in October last year (2023) not one company had been fined, despite the OAIC recording 1748 data breaches in the preceding 2 years.
In fact, the Privacy Commissioner at the time stated that fining companies for breaches was not part of its strategy. Perhaps that has changed with the appointment of Acting Privacy Commissioner Sonia Minutillo, but I wouldn’t bet my lunch on it.
Perhaps they could extend the “stronger approach”, to the 28% of companies that failed to meet the 30-day notification period?
The report demonstrates this stronger approach by talking about the Datateks and Lutheran College Breaches. The Commissioner has made a determination that both companies failed in their obligations under the Privacy Act 1998. That has zero impact on the companies, though. It’s the equivalent of telling kids they’ve been very naughty, and they shouldn’t do it again. The key line being:
“…The Commissioner ordered the entities to develop data breach response plans within a specified timeframe…”
Oh, no! Not a policy. Don’t make we write a policy.
They also announced they are commencing civil proceedings against Australian Clinical Labs Limited over their previous breach of the privacy act.
Wisdom of the ancients
The reports demonstrate a range of scenarios where breaches have occurred and offer’s insight on how they could be avoided / mitigated. There is some solid stuff like:
“…may find it useful to establish and implement a data retention policy…”
“…Individuals affected by a data breach expect to be informed about the incident…”
I think we can all agree that nobody in IT should be reading that and finding it helpful. If you did, put down your laptop, calmly leave the building and get a job in another field.
Commercial Reality
The reality is that companies don’t need to fear the OAIC. Nor do they need to be overly concerned about losing customers. In fact, they get substantial benefit from running the gauntlet of getting breached, rather than security systems and practices. While companies can make more from doing less, they will do so.
Running a secure information technology is expensive, not just in equipment and software but in time. It slows down everything in little ways. By not maintaining a high standard of security, companies get:
- Reduced operating costs
- Reduced project T&M
- Faster time to market
- Most importantly, those savings allowed front-line operations to derive profits
Sure, one day you might get breached, but the consequences are far less than what you’ll make in the interim.
This can be demonstrated by the Latitude Financial data breach that occurred last year.
Latitude Financial
In March 2023, Latitude Financial had a data breach which resulted in them taking their systems offline for a week. They were also unable to take on new customers for 6 weeks. This cost them $18M in direct cyber-incident costs to clean up, and they have had to bank another $49M to deal with any future fines / class action suits etc.
Now, a $18M to clean up a breach sounds expensive, but let’s keep this in perspective. Latitude has a market value over $1B and assets exceeding $7B.
Latitude gives absolutely zero fucks about $18M spent on IT costs. It’s less than half what they spent on marketing last year.
And this is not a fine, this is remediation, gap analysis and recommendations etc. Things that deliver value to their organisation. The tech team has likely had this on their wish-list for some time.
In their last company report (LFS FY23 Appendix 4E) they state that
Pleasingly as operations resumed volumes rebounded with all of our major retail partners remaining with Latitude through 2023. Volumes continued to build momentum through to December 2023 despite both a challenging retail sales environment and the resumption of pricing actions
So yeah, they are doing just fine. Worst case, they might have to pay out some of that $49 cash reserve, but in the interim it’s earning interest in the bank.