Will mistrust between government and industry affect new cyber laws?

As of February 22, Australian companies are now required to comply with the new Data Breach Notification Regulation that was passed under the 2017 Act Privacy Amendment (Notifiable Data Breaches). This regulation impacts all Australian organisations and agencies that currently adhere to the 1988 Privacy Act. Given the dramatic migration of cyber crime and fraud to businesses and government organisations of all sizes over the past five years, federal regulation of data breach notification, to both hold organisations accountable and encourage the implementation of cyber security best practices, seems the obvious answer.

Op-Ed by Terry Roberts, Executive Chair of WhiteHawk Limited (ASX:WHK)

Ideally, we want to know what breaches are happening across government, industry, non-profits, and academia; the magnitude of the breach and the level of sensitivity of the data stolen; and, if available, the who, why, and how of the cyber adversary that took the data. This regulation is designed to gain insight into the scope of cyber events and the impact to our economies.

However, there is one major drawback to this regulation – the fact that it is federally administered. For over a decade, based upon my research and experience, I have recommended that cyber event reporting should be federally sponsored but administered by a non-profit, third party entity that is equally trusted by government and industry, and a proven cyber thought leader.

This is because private businesses and non-profits, by necessity must protect first their reputation and revenue. On the other hand, the government focus is on breach mitigation and customer warning and awareness. As a result, companies may be hesitant to report directly to the government because of their understandably conflicted priorities. And frankly, around the world, there simply is not a complete level of trust between government and industry.

An academic institute or non-profit cyber think tank can best serve as trusted entity for both industry and government and be the expert recipient for cyber event and breach reporting, conduct cyber intelligence analysis, and systematically disseminate notifications, preventative insights and recommendations broadly, without attribution to the impacted company or entity. Utilising a third party as the reporting mechanism means that a company’s reputation will be protected while the customers, clients, and personnel are still appropriately notified about remediation and mitigation of the event. This type of approach is more holistic, scalable and impactful over time.

I have also recommended this third-party framework in the US, where data breach notification regulation is currently highly segmented by state and industry. For example, the health care industry has specific rules about reporting personal information breaches through the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, there is not currently one broad regulation encompassing data breach notifications like the Australian Data Breach Notification Regulation in the US.

So, how does a company prepare for a cyber breach? The first and most important lesson is that strong cyber protection is not about doing everything. It simply isn’t affordable or practical. Instead, you must insure that your customer files are protected and that your proprietary conversations and online communications are encrypted. It’s the digital equivalent of making sure your doors and windows are locked and your jewels are in a safe. Begin by assessing your organisation’s critical functions and prioritising what should be protected first, then back up everything else. Just like that, you are taking the first steps towards protecting your organisation.

It is also important to know that the first step for one company might be the third or fourth step for another, which can make the process seem overwhelming. This is especially true for small and midsize businesses (SMB), who, as a result, are often the most unprepared for a breach.

Until now, there hasn’t been a place for SMBs to quickly and easily profile their risks and put affordable and impactful solutions in place to lower their business risks today. I’ve worked hard the past several years on focusing my time and attention on building the first online cyber security exchange for this underserved market that doesn’t have the cyber security expertise and perhaps never will. This is what the WhiteHawk Cyber Security Exchange is all about. It is an exchange of best practices, cybercrime and fraud trends, analysis of your business risk, and an open marketplace of innovative products and service options.

Australia’s new data breach notification regulation is an important step in increasing peace of mind for both government regulators and consumers that can minimise serious harm to consumers who have had their information stolen or released. Now, we need to work together to help businesses of all sizes put into place the infrastructure to protect their businesses against cyber threats and we offer our expertise to the Australian government to take it to the next level.

Terry Roberts is Executive Chair and founder WhiteHawk Limited, world’s first online cyber security marketplace. Prior to this she was the United States Deputy Director of Naval Intelligence (DDNI).