Privacy Awareness Week Business Breakfast 2019
“Making privacy the priority: privacy and data protection in our interconnected world” ― keynote address by Australian Information Commissioner and Privacy Commissioner Angelene Falk
Good morning, distinguished guests, members of the business community, privacy practitioners.
It is my great pleasure to welcome you to Privacy Awareness Week 2019. It is wonderful to see familiar faces and new privacy supporters.
I would like to acknowledge the traditional custodians of the land on which we meet today, the Gadigal people of the Eora nation, and pay my respects to elders, past present and emerging.
And I welcome fellow Commissioners ― Human Rights Commissioner Ed Santow; Samantha Gavel, NSW Privacy Commissioner; Deborah Anton, Interim National Data Commissioner; and former Privacy Commissioner Malcolm Crompton ― and acknowledge the contributions you make to protecting privacy in your work.
Privacy Awareness Week is held every May as an initiative of the Asia Pacific Privacy Authorities.
Now in its 14th year, it is an opportunity to show your commitment to making privacy and data protection the priority of every business.
Increasingly, businesses understand the benefit of doing so: this year a record number of supporters have signed up.
Over the course of the week we will highlight a number of privacy priorities for organisations and consumers, from data breaches and online security, to credit, health information and personal data management.
Because ― since I last stood at this podium ― privacy has come into even sharper focus as one of the top priorities for organisations and the public alike, in Australia and around the world.
Our personal information is a vital input to the economy and government.
And its responsible management, as organisations face increasingly complex data protection challenges, is critical.
Good privacy practice is more than ever, a central pillar of business success.
Today, I’d like to talk to you about the privacy fundamentals of transparency and accountability; about why earning consumer trust in the way you handle personal information is so important.
At your table you will have a copy of our Insights Report which provides lessons learned after 12 months of regulating the Notifiable Data Breaches scheme.
I will look back at the scheme, a key transparency measure, to understand the causes of breaches.
These provide a compelling evidence base for business to act, so that breaches can be prevented.
And I will look forward, at the next 12 months and beyond for privacy regulation, in particular at the need to rebalance the relationship between privacy self-management and organisational accountability.
For me, these issues are ultimately a matter of integrity: data custodians, acting honestly and ethically, with decency and fairness.
Who we are
The Office of the Australian Information Commissioner upholds and advances Australians’ information rights through privacy protections and access to government-held information.
We are an integrity agency, promoting transparent and accountable handling of personal information across government and business.
We are a human rights agency, protecting the right of individuals to personal autonomy, choice and control.
We are an agency that recognises the economic value of personal information to innovation and the digital economy.
And we seek outcomes in the public interest.
Getting privacy right in 2019 requires privacy professionals to cover an expanded terrain:
- the day to day pragmatism of data governance
- people, systems and technology
- data protection and consumer protection, and
- national and global regulatory environments.
As business transforms its models and systems for the future, integrity in handling personal information will play a significant role.
As I look around the room, at our privacy leaders, I know you play a huge part in driving this change with us, for the better.
The goal of “do no harm” is apt.
Because data – including personal data – is now the lifeblood of the global economy.
And it continues to raise new issues that challenge the way we operate.
Cooperation and collaboration
One of the ways the OAIC is responding to these challenges is by engaging internationally in global privacy debates and regulation.
Our ability to prevent, detect, deter and remedy relies on cooperation and collaboration, across regulatory regimes, across borders, with the community, business, government and academics.
This is central to our approach to regulating in the global economy:
- developing regulatory policy and guidance that takes account of global developments
- creating interoperable regulatory frameworks, and
- cooperative international regulatory action.
One resounding factor in common across jurisdictions is the community expectation that entities handle personal information responsibly.
That’s coming through loud and clear in regulatory conversations and developments around the world:
- our own notifiable data breach scheme, which started in February last year
- the GDPR of May 2018, which we are monitoring closely
- the EU’s proposed ePrivacy Regulation for online communication services, tracking technologies, and electronic direct marketing
- the California Consumer Privacy Act 2018, and a possible US federal privacy law.
The intersection between consumer protection, privacy and data protection is increasingly relevant given the importance of personal information in the digital economy.
Through my role on the Executive Committee of the International Conference of Data Protection and Privacy Commissioners, the OAIC co-chairs the Digital Citizen and Consumer working group.
It is dedicated to improving collaboration at an international level between data protection and consumer protection authorities to better protect citizens and consumers.
At home we are increasingly collaborating with the Australian Competition and Consumer Commission, including on digital platforms.
At this time last year, we had just learned that the information of more than 300,000 Australian Facebook users may have been acquired and used without authorisation.
The past 12 months has seen increasing scrutiny of digital platforms, and a global conversation about their role and responsibilities.
Our investigation into the Facebook matter is well progressed, and has been marked by regulatory cooperation around the globe.
Notifiable Data Breaches – one year on
And while the Cambridge Analytica case depended on disclosure by a third party to come to light, there is now a positive obligation to report eligible data breaches to my Office and notify affected individuals.
We now have access to four quarters of statistics from the Notifiable Data Breaches scheme, which are reflected in the Insights Report we share with you today.
The NDB scheme goes to the core of good privacy practice — transparency and accountability:
- It incentivises proactive security practices to protect personal information
- It addresses under-reporting and delays which can limit opportunities to prevent harm
- It allows consumers to make informed choices, and have confidence in the entities they deal with.
Increasing transparency and accountability
One year in, we can see how the scheme is enhancing transparency.
Our report shows:
- 964 eligible data breaches were notified under the mandatory scheme.
- 60 per cent were traced back to malicious or criminal attacks.
- Overall, the leading cause of data breaches was compromised credentials, with 153 breaches linked to phishing.
- More than a third of breaches were directly due to human error.
- Personal information being emailed to the wrong recipient caused 97 data breaches ― one in ten notifications.
- The rate of human error was higher in the sectors reporting the most data breaches – health and finance.
- Those sectors hold high volumes of personal data, and may have more mature data breach processes.
- Unlike other sectors, the private health sector has obligations under the Privacy Act regardless of annual turnover.
- The remaining 5 per cent of all notifiable data breaches involved system faults.
- We also received 168 voluntary notifications.
- In total, this represents a 712% increase in data breaches compared to the previous voluntary scheme, where there was no obligation to notify individuals.
This growth in the number of data breaches after the introduction of mandatory reporting is broadly consistent with trends overseas.
The report also examines multi-party notifications: there were 11 during the 12-month period, involving between two and 60 notifications each.
In responding to the first reported multi-party breach since the scheme began ― PageUp ― we worked closely with the Australian Centre for Cyber Security and IDCARE, the national identity and cyber support service.
Coming just 12 weeks after the scheme began, this and other multi-party breaches highlight the need for detailed data breach response plans, that are reflected in provider contracts and include clear accountabilities.
We also recommend that, in general, the entity with the most direct relationship with affected individuals take the lead in notifying them.
The human element
Perhaps the most important insight from this report is that most data breaches, including cyber incidents, involve or exploit a human element.
Whether it’s sending information to the wrong person or clicking on a phishing link, employees were centrally involved in most of the data breaches reported to the OAIC in the period.
Organisations need to support staff to get privacy right, to understand the risks and how to mitigate them.
According to one recent study, 59% of people are still reusing passwords.
That’s why “credential stuffing” is so successful as a way to breach accounts.
Another survey found 69 per cent are sharing passwords.
At first glance, [ji32k7au4a83] might look like a clever password.
But it appears in around 140 recent data breaches.
We’re told that’s because ― on keyboards using the Chinese phonetic system ― these characters correspond to the phrase “my password”.
Simply typing in the word “password” gave cyber attackers a free pass into 3.6 million accounts worldwide, according to a list of the top 100,000 hacked passwords.
First on the list was “123456”.
This tells us that systems need to take account of this human tendency and demand strong passwords and regular resets, and ensure multiple log in attempts are locked out.
This is basic, but our report shows that it’s the fundamentals that organisations need to get right.
Our regulatory approach
Our approach in the first year of the scheme has been to drive awareness of entities’ obligations and the causes of data breaches, to support better practices.
In addition to the thousands of calls we’ve received about the scheme, our hard-working data breach team engaged with more than 1000 organisations that notified a breach.
We conducted regulatory enquiries to ensure breaches were contained and rectified, and that measures were implemented to prevent reoccurrence.
This has been successful in elevating the security posture of those organisations.
Many took a proactive approach to engaging with us, enabling us to work constructively with them to ensure an effective response.
But further regulatory action has been necessary, and I have issued a direction to compel notification where we uncovered a failure to notify individuals.
I can also investigate an entity’s compliance with the Australian Privacy Principles on my own initiative, and a number of Commissioner initiated investigations are nearing completion.
There is an active community debate about how best to regulate data breaches:
- on the one hand, some take the view that working collaboratively between regulator and business is the answer, to encourage sharing of lessons learned, and not to name and shame so as to discourage reporting
- others would like to see greater use of the regulatory stick.
Regardless of the fact that I don’t have a proactive power to publish data breach notifications as a matter of course, I think the regulatory solution lies somewhere between these two views.
While we will continue to work constructively with organisations that experience a breach, and to take a proportionate and evidence‑based regulatory approach, we will be exercising regulatory and enforcement powers where necessary.
Over the year, we have observed assessment and notification processes maturing, which is important to prevent notification fatigue, both for entities and individuals.
But there is room for improvement, particularly when it comes to harm minimisation.
According to IDCARE, their data indicates the average time between a data breach and misuse of credentials is less than ten days.
This means time is of the essence in notifying individuals to act to minimise the impact of a data breach.
Multi-party and multi-jurisdictional breaches can be managed better: build into party agreements accountabilities for data breaches and take account of jurisdictional requirements.
Most significantly, we now have a clear evidence base of the causes.
We are at a turning point in the implementation of the scheme, and it is time to take note and apply the lessons learned to secure personal information holdings.
Business needs to get the basics right, and our top five best practice recommendations to help you, are outlined in the report:
- Your people must be trained to protect their devices and accounts
- Investing in better security measures must be a priority
- Do you have a data breach response plan? Have you tested it? Are accountabilities clear?
- Understand your data holdings so you can make a prompt and thorough assessment if a breach occurs
- After a breach – put the individual first – communicate in plain English, and provide practical information that helps people to mitigate harm.
This is about people and processes, as well as technology.
Moving beyond compliance
Armed with these insights, we believe entities are now well equipped to meet their obligations and take proactive steps to prevent breaches of personal information. This is my expectation.
This means fostering a workplace culture where privacy and security are organisational priorities.
We expect you to support consumers effectively, take responsibility for the impacts of a data breach, and help people mitigate the harm that may result.
We encourage you to move beyond a purely compliance approach. Taking steps to put the consumer first can differentiate your business and maintain trust.
Trust in data holders
Because, for our digital economy to flourish, it needs to have the confidence of those who entrust it with their personal information.
And there’s some ground to make up here.
A recent ANU survey of attitudes to data governance found the ABS is our most trusted data holder.
Social media companies were the least trusted.
The study concluded that if we want to make use of the rich data available, “there is an urgent and continuing need to build up trust across the population”.
Privacy complaints and investigations
Increased calls to our enquiry line and the exponential growth in complaints are a clear indicator that the community expects more.
The complaints illustrate the human impact of entities not meeting their obligations in the way the community should expect.
The person whose gambling addiction is exacerbated by continued direct marketing after trying to opt out; a woman who is assaulted after an ex-partner learns her whereabouts through disclosure by an organisation.
These are the day-to-day matters that my office deals with, and which our skilled staff resolve, often resulting in changes to practices and compensation for the individual.
So what is the solution?
I think part of the solution lies in how to support privacy self management through organisational accountability.
Privacy self-management done well allows individuals to exercise choice and control, by understanding how their personal information is being handled.
However, it is dependent on the extent to which organisations make this information accessible and understandable.
I was struck by this challenge myself recently when I went to download a messaging app.
It took me 45 minutes to read through the privacy policies (of course I read very word), and all the secondary uses that seemed very much in the interests of the business and unrelated to the service I wanted.
At the end, the only choice was to “take it or leave it”.
I chose to leave it.
This is going to be an important focus for the OAIC over the next 12 months ― how to best support individuals to manage their privacy, and ensure greater organisational accountability for how personal information is handled.
In matters before my office we are examining notices, policies and consent, and working to ensure that individuals who are consenting are fully informed and that it’s freely given.
Organisations must make it easier for individuals to make informed privacy choices so that privacy self-management becomes meaningful.
And privacy self-management needs to be supported by organisational accountability; privacy by design; verifiable compliance.
We have to hand a range of regulatory powers to achieve this, including guidance and code-making, to make it clear to the regulated community what is expected.
And based on the experience of the notifiable data breaches scheme, over the next year we will focus on compliance with security requirements generally, and continue to monitor and work with the top reporting sectors to uplift their security posture.
For business, data integrity is critical.
Managing personal data with integrity is equally important ― operating transparently and accountably, so your information handling, and your business, is worthy of trust.
For some, this will mean rethinking their ethical obligations when handling our data.
This underscores the important role the OAIC fulfils in ensuring integrity in a data driven economy.
Our Insights Report provides a clear evidence base for organisations that shows where to invest in preventing breaches: your people and your systems.
There is also undeniable proof of the cost of data breaches ― worldwide, in recent cases like Equifax and Cathay Pacific.
In Australia, the recent Landmark White data breach was linked to suspensions of trading and a drop in share price and profits.
Our data offers enormous potential for citizens, business and government.
It can be used to make better-informed decisions and develop innovative products and services for all sectors.
But to do that, we need strong privacy protections that build public confidence and consumer trust.
So business cannot afford to be in the dark on privacy.
Its success depends on making privacy a priority for every business.