Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 marks a milestone for information security legislation, but industry is still questioning the need for legal intervention.
Australia is not the first country to introduce strict breach notification laws, nor is it likely to be the last. To date, approximately 90 countries have introduced legislation or have existing laws for breach notification with varying degrees of strictness, enforcement and penalties. And yet data breaches still go undetected and unreported. The United States has approximately 47 states with separate breach notification laws and has yet to introduce a consolidated and unified law at the national level.
It’s not a matter of strictness, breadth or depth that makes digital privacy and breach notification laws effective. In fact, the only way the effectiveness of breach notification and data privacy laws is measured is anchored on whether the legislation helped prevent breaches from happening in the first place. Measuring effectiveness of legislation is a “fuzzy science” at best.
The US National Institute of Standards and Technology (NIST) Cyber Security Framework, although a guideline and best practice framework for now, stands to be the closest integration of policy, compliance and security operations. Similar to the United Kingdom’s National Cyber Security Centre (NCSC), the NIST Framework was created through a collaboration between government and the private sector allowing organisations to address and manage cyber security risks in a cost-effective way that is based on business needs and outcomes, without placing additional regulatory requirements. This is called “Business Driven Security”.
The NIST Framework can measure operational effectiveness based on practical applications within business environments that measure breach impact. This is the difference between a “paper drill” and practicality.
There exists a delicate balance between operational guidelines and law. You cannot use legislation as a standalone effort for breach prevention or early detection and response improvements. The bottom line is legislation is only as good as its ability to drive efforts and organisational behavior to monitor and detect before a material breach occurs and data is stolen, manipulated and/or destroyed.
While some businesses may be questioning the need for legislation around data breach notification, it can be argued that it’s less about legal penalties imposed on businesses for non-disclosure and more about reducing risk by proactively identifying gaps and exposures to cyber attacks. Although it may not seem obvious, the government’s legislative involvement and stipulation that businesses report data breaches sends a clear and swift global message that Australian businesses are taking every measure to protect its public and private critical infrastructures.
One of the most important key outgrowth benefits of breach notification legislation is it drives a sense of urgency around reporting of critical data during and after a breach, that can then be used for implementing proactive cyber defence techniques, tactics and procedures.
A good example is the U.S. Department of Defense and sectors such as banking and healthcare, which have numerous rules and regulations governing breach notification for their private industry contracting and procurement partners. They have created collaborative and voluntary programs such as the Defense Industrial Base Cyber Security Program (DIB-CS), banking FS-ISAC and healthcare NH-ISACs, which are partnerships between the public and private sector participants.
These cyber security partnerships provide a collaborative environment for sharing unclassified and classified cyber threat information and offer analyst-to-analyst exchanges, mitigation and remediation strategies. This provides companies with analytic support and forensic analysis, all while increasing the government and industry understanding of cyber threats. Tightly coupled, legislation and collaborative, volunteer programs become very effective. When de-coupled, cyber security can become fractured.
One of the most common challenges across many of the 90 countries who have enacted or attempted to enact similar legislation is the failure to recognise that cyber security and breach response don’t follow the same legal assumptions legislators take by the letter of the law. In reality, what’s happening in real time over the Internet – where breaches are not always detected for very long periods of time, if at all – is pushing back against legislative assumptions that private and public enterprises have a certain mature capabilities to monitor and detect attacks.
During the 12-month ramp up period before the introduction of the data breach regime, CISOs must determine their cyber security posture, breach monitoring and detection gaps, and refresh their organisation’s data asset classification and business risk registry. And if they do not have a business risk registry in place, it should be a priority to implement well within the 12-month period.
This will allow the CISO to determine short, mid and long-term readiness both from a compliance perspective, but also in assessing how resilient their security programs will be as legislation drives desirable and undesirable behaviours in the “trenches” when faced with a material breach.
As for those businesses that have been reluctant to invest in information security practices until now, legislation alone should not be the primary driver to protect your organisation and its stakeholders from cyber attacks. If you are waiting for legislation to pass before investing in proactive information security practices within your organisation – whether it’s public or private – you’re treading on very thin ice.
With the impending soon-to-be implemented legislative requirements, it will be a collaborative reality between the law, operational best practices and guidelines that will make digital security part of an organisation's DNA. Now is the time for businesses to set their information security compasses to “true north” and begin the transformation for cyber breach readiness, response and resiliency.