Cybersecurity experts are saying Australia’s regulations on data management and privacy laws need to be strengthened in order to hold public agencies and businesses more accountable in wake of the Optus cyber attack.
CDU’s College of Engineering, IT and Environment Associate Professor Mamoun Alazab said the recent privacy breach of Optus highlighted the deficiencies in reporting and accountability of cyber-attacks.
Related: ‘Urgent’ data privacy law reforms in wake of Optus data breach
According to Associate Professor Alazab, the Notifiable Data Breach (NDB) scheme was not adequate in helping protect individuals who had their personal data stolen in the Optus cyber attack.
“The burden of proof of harm is on the individual who had their data stolen. The laws need to be strengthened to make businesses more responsible and accountable,” he said.
“It was only a matter of time before we experienced an attack of this size, and it exposed the problems with responsibility and accountability in the cybersecurity space. Only victims of a data breach are responsible for dealing with the consequences.”
Cybersecurity experts at CDU had been warning the public about the lack of transparency for years.
CDU Lecturer in Law Dr Jenny Ng, from the Asia Pacific College of Business and Law, said the NDB scheme, which was introduced in 2018, made it mandatory for a regulated entity to inform the Office of the Australian Information Commissioner and the affected individuals of a serious data breach.
“However, it remains difficult for the victims of data breaches to establish a successful cause of action in court mainly due to the lack of a specific cause of action under Australian law that would allow a person to bring an action for a breach of privacy,” Dr Ng said.
Associate Professor Alazab, Dr Ng and Dr Seung Hun Hong from the Korea Institute of Public Administration published a paper, in the Future Generation Computer Systems journal, last year on the regulatory deficiencies of the reporting process on cyber-attacks.
Associate Professor Alazab said there have been numerous cases in corporate Australia of poor data management and breaches reported under the NDB scheme.
“Cyber threats are increasing at a rapid rate, and they are becoming more sophisticated, so without comprehensive monitoring and policing it is making people extremely vulnerable,” he said.
“This will not be the last time that Australia’s corporate world will have to face such a large data breach, and it will be judged by its response to it.”