Proposal
1. The Communications Minister should create a mandatory data breach notification
scheme by amending the Privacy Act 1988.
Executive Summary
2. The metadata retention scheme which came into effect this month creates a situation where Internet Service Providers (ISPs) are storing more Australians’ data, less securely, when they are already targets for cyber criminals.
3. This is why the government should create a mandatory data breach notification scheme, since it allows for market forces to provide cybersecurity in a responsive way which regulating minimum security requirements cannot.
Background
4. On October 13 2015, the government’s mandatory metadata retention scheme came into effect. This requires ISPs to retain their customers’ metadata for at least two years for law enforcement to access.1 This scheme has increased the risk of cybercrime.
5. We know that Australians’ data and metadata is a target for theft, as Telstra and other high-profile ISPs have been breached previously.2 The estimated cost of cybercrime to Australian citizens is more than $1 billion annually.3 The threat exists.
6. But by requiring ISPs store their customers’ metadata, ISPs have been made into a more attractive target for hackers, since there is much more data stored in one place. Metadata is also attractive to thieves because it identifies peoples’ activities and can be used to blackmail them or steal their identities.
7. ISPs’ costs for metadata storage are only partially borne by the government, which leads ISPs to choose low cost offshore storage for metadata.
8. If this metadata is stolen, under current laws ISPs are not required to report these data breaches. This means other than the costs of discovering and cleaning up computer systems after a breach, there are no other penalties for an ISP that is breached.
9. In sum, Australian ISPs are already targets for cybercrime, and metadata retention makes them store higher volumes of more attractive data, in a less secure manner. The cost of being breached is low for ISPs since reporting is not mandatory. This is why metadata retention has increased the risk of cybercrime.
Comment
10. The model proposed for a mandatory breach notification scheme is that if ISPs become aware that their customers’ data is unlawfully accessed, the ISP in question must report the theft to the Privacy Commissioner and to the effected individual. The Case for Mandatory Breach Notification
11. Unfortunately, the government cannot mandate minimum security requirements to ISPs. This is because the pace of innovation in information security would make any government standard obsolete once implemented.
12. Mandatory breach notification will reduce the risk of cybercrime in two ways. First, mandatory breach notification increases the potential costs of cybercrime to ISPs. If an ISP is breached and must report it, then it may suffer poor publicity and may lose market share as effected customers switch internet providers to a competitor or potential customers avoid that ISP over privacy concerns.
13. These are real costs to business and so they will incentivize ISPs to invest in securing the metadata which they are required to store, in order to prevent these costs on their business. In this way, better information for consumers will allow market forces to dictate the appropriate level of investment in security commensurate with the costs that cybercrime will impose on ISPs.
14. Second, mandatory breach notification allows individuals to mitigate the impacts of cybercrime on themselves. If an individual is alerted to a breach of their metadata, personal and financial information stored by their ISP, then they are able to act to ameliorate losses. Individuals can change their passwords, notify credit card providers to prevent fraudulent transactions, or act to prevent blackmail. In less immediate action, individuals can change internet providers to a safer ISP in order to prevent further harm from cybercrime.
Counter Arguments
15. There are three prominent counters to this case.
16. First, mandatory breach notification is more red tape for ISPs to comply with. There will be compliance costs on ISPs from mandatory data breach notification, as well as the public costs of notification outlined previously. While this government has stated
its priority to reduce regulatory red tape, it has also committed to keeping the nation secure. National security was the rationale for the metadata retention legislation which increased security at the cost of ISP compliance. These compliance costs were not fully covered by government funding, so the government has previously accepted that national security is a higher priority than non-interference in telecommunications markets. Mandatory breach notification is the logical extension of the metadata retention legislation, since it mitigates the increased risks of cybercrime which metadata retention created; at the price of higher compliance costs for ISPs.
17. Second, mandatory breach notification will create a perverse incentive for ignorance. This is because ISPs will investigate network breaches less, since they face losing customers if they discover a breach and are forced to report it. It is true that
incentivising purposeful ignorance by an ISP to possible breaches may be an unintended result of a mandatory breach notification scheme. To address this possibility, the Privacy Commissioner should have the power to initiate investigations into ISPs to ensure this does not occur.
18. Third, the scheme would require the Privacy Commissioner undertake significant new activities without any increase in funding. This can be addressed by consulting with the Commissioner to determine the funding requirements of the proposed scheme. If additional funding is required, then it should be provided. This mirrors the government’s process for increasing the funding of the Inspector General of Intelligence and Security to oversee the metadata retention scheme.
Legislative Implications
19. New legislation, amending the Privacy Act 1988 will be needed to mandate that ISPs report data breaches to the Privacy Commissioner and to empower the Commissioner with the capability to investigate ISPs’ compliance with mandatory data breach notification.
20. Similar legislation has been drafted by the Labor Party in 2014 and supported by the Greens in the Senate. Therefore if the government accepts this proposal, the legislative outlook for this proposal is optimistic.
Recommendations
21. It is recommended that the Minister:
1. Amend the Privacy Act 1988 such that it would:
1.1. Require that ISPs report all unlawful breaches of their customers’ data which they are aware of to the Privacy Commissioner within a reasonable timeframe.
1.2. Empower the Privacy Commissioner to initiate investigations into ISPs to ensure their compliance with mandatory data breach notification laws.
2. Consult with the Privacy Commissioner to determine any additional funding requirements which the scheme would place on the office.
