Mandatory data breach notification – the impact on auditors
November 28, 2016

David Berkelmans, Executive Director


Last week I attended a National Press Club address from the Minister Assisting the Prime Minister on Cyber Security Hon Dan Tehan MP.

The address was titled ‘Cyber Storm’ and was an update of the implementation of the Australian Government Cyber Security Strategy launched by the Prime Minister in April of this year.

During the presentation, the Minister touched on some very interesting points – including mandatory data breach notification and the need for transparency from both private and public sector in relation to cyber security breaches.

Mandatory data breach notification legislation was presented in parliament recently, with Justice Minister Michael Keenan introducing the proposed laws into the House of Representatives on 19 October.

If passed into law, the Privacy Amendment (Notifiable Data Breaches) Bill 2016, would compel government agencies and businesses operating under the Privacy Act to notify the Australian Information Commissioner and affected individuals of an eligible serious data breach.

I recently attended an ISACA meeting in Chicago with other IT auditors from around the globe. What became apparent to me at this meeting is that when similar legislation has been introduced in other countries, it has had a large impact on IT auditors.

Entities have had to introduce policy and procedures in relation to data breach notification, and audit has had a role in assessing this and ongoing compliance. More work has also been required to prevent data breaches from occurring.

If the legislation gets through, IT auditors in Australia need to start thinking about how this will affect us.

A key driver for this legislation is when individual’s personal information gets into the wrong hands. That individual has a right to know.

There is also a need for information sharing so threats can be shared. However, when considering this legislation as an IT auditor, we need to look at it through the risk management lens. In auditing 101 speak, what is the risk and what should be in place to mitigate the risk?

There are a number of pros and cons for this type of legislation and a quick Google search will give you plenty of opinions for and against.

A con that is often raised is type of legislation punishes the victim, rather than perpetrator. The person stealing the data is the one committing the crime, but the legislation is creating more work for the victim, which in turn, could do to harm to their business. If someone gets their house burgled, we don’t make them go and tell everyone.

By focusing on this con, we can then focus of what the risk change is to an entity. The risk itself doesn’t actually change by introduction of the legislation. Every organisation has a risk of their data being breached; what does change is the consequence.

If the legislation passes and you have a data breach, the world is going to know about it. For many businesses, this poses a significant reputational risk as a disclosure of this type may turn customers away. For government entities, it will cause reputational damage to the government of the day.

In summary, introduction of this legislation will increase the risk consequence, and as such, increase the need for mitigating controls. The role of IT auditors in the coming years in Australia will not only be to ensure the policies and procedures are in place to comply with the legislation, but also help entities prevent data breaches occurring in the first place.