Australian consumers are facing unnecessary cyber security risks thanks to the ongoing lack of mandatory data breach notification laws, the Parliament’s Joint Select Committee on Cyber-Safety has heard.
Speaking at the committee’s Inquiry into Cybersafety for Senior Australians, University of Canberra Centre for Internet Safety director, Alastair MacGibbon, said a widespread lack of understanding about the extent of cyber security threats was increased through Australia not having mandatory data breach notification laws.
“We don’t actually know how many data breaches there are in Australia, and how much of our personally identifiable information is out there as there is no compulsion to report [data] breaches to individuals or to a central commonwealth authority like the privacy Commissioner or others,” he said.
“Some companies take it upon themselves to notify the OPC (Office of the Privacy Commissioner) but generally speaking there are no huge requirements on companies to protect information they gather and many don’t even understand the threats are and why someone would want to steal it.”
Mandatory data breach notification laws have been the topic of debate for a number of years now. In late 2009, Symantec’s chief executive, Enrique Salem, said his company had been called in by the Australian government to provide advice on proposed changes to the Privacy Act to allow for the introduction of data breach notification laws.
In late 2011, the Information Commissioner called for the updating of the national Privacy Act, including the introduction of mandatory data breach laws, to cope with the impact of technology on the privacy of Australians.
MacGibbon added that in the Centre’s estimation, the potential for personal or business data to be stolen had grown in recent years with a decline in the prices charged by cyber criminals for access to data such as credit card details.
“If you do an analysis of the cost of personal data online – what does a criminal now pay on the black market for your full credentials – they now pay a lot less now than they did a couple of years ago,” he said. “In simple supply and demand economics that is because there is a lot more data out there than criminals know what to do with.”
The consequence of this was that while users’ data may have been compromised, it may not yet have been exploited due to the sheer volume stolen data being traded.
“I make the assumption that my credit card has been skimmed or stolen from a website I have visited and have done business with, but it hasn’t been cancelled by my bank because it hasn’t been misused by criminals,” he said.
Nigel Phair, a founding member of the Australian High Tech Crime Centre (AHTCC) and currently a director at Centre for Internet Safety, said that small and medium businesses were largely unaware of the security risks to their own business data as well as that of their customers.
“The majority of SMEs do not have the capacity or capability to really cope with [data security],” he said. “There is the Payment Card Industry Data Security Standards, the PCIDSS, which they are meant to adhere to and the majority don’t as there is no carrot and stick approach to that.”
“The other problem is that if you are an SME, or even larger organisation, which has had a data breach and has lost customer information including credit cards… there is no real financial loss to you -- it is all to the end user. You have been compromised had the breach, you may have brought in an IT security company perhaps to mop up the problem, everything is good, but it is all those people who have bought off your website who have the heartache for some time.”
Under the PCIDSS, all companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.
Last year, the Australia New Zealand director for payment solutions company IP Payments, Mark Lewis, said even major banks were facing challenges in properly implementing the standard.
Commenting further on the state of cyber security within Australia, MacGibbon said that IT vendors also needed to shoulder some responsibility due to a lack of common definitions of security threats and common tracking of threats over time.
“All the vendors and think tanks out there don’t consistently look at the same threats online, so it is hard to say whether phishing attacks are going up or spam is more prevalent or not,” he said.
“You might have heard the term ‘advance persistent threats’. It is hard to tell whether they are more advanced, less advanced, more persistent, whether the threat vector is rising, whether people are losing more money or not. There needs to be a whole lot more work done on whether things are improving or otherwise.”