Published on the 25/07/2024 | Written by Heather Wright
And the plans to fix it, as MediSecure reveals breach extent…
The Australian Information Industry Association is calling for small businesses to face clear liabilities for data breaches broader and an existing small business ‘carve out’ in the Privacy Act to be removed, saying the MediSecure attack highlights the need for the Australian Federal Government to close a ‘gaping backdoor’.
Australia is a global outlier in having the small business exemption in privacy laws, with no other comparable jurisdiction exempting small businesses from general privacy law.
“The digital economy is as strong as the weakest link and the small business exemptions is that weakest link.”
The carve out, unchanged since 2000, sees most small businesses with an annual turnover of $3 million or less – which account for 97 percent of Australian business – not covered by the Privacy Act 1988, with no legal duties around data privacy. That means there is no obligation to keep personal information secure, or notify those affected when there is a data breach. Exceptions, including health service providers, those trading in personal information, credit reporting bodies and operators of residential tenancy databases – exist, but the AIIA wants the carve out removed and a clear distinction and liability assigned between data controllers and processors.
That’s something the government is already considering.
Last year the Attorney-General Mark Dreyfus said the government has agreed in-principle with a proposal to remove the exception in a move that would see around 2.3 million small businesses face new obligations when it comes to handling personal information.
A ‘reasonable’ transition time would be provided for companies to comply.
The change, if accepted as is, could add significant costs to annual expenses for small businesses in Australia. Alongside the data security and breach reporting obligations, the proposals include an expanded definition of ‘personal information’ requiring user IP addresses and device identifiers logged to be secured as well.
Simon Bush, AIIA chief executive, last week called for the government not to water down those privacy protections, with the amendments due to be introduced into parliament next month, and highlighted the Medisecure breach as a reinforcing the need for a cyber secure economy.
His plea came as e-prescriptions provider MediSecure put a figure on the numbers impacted by its April cyber breach, admitting that the personal and health information of 12.9 million individuals – almost half of Australia’s population – was exposed in a ransomware attack. Data including individual health identifiers, Medicare details, concession card numbers, and names, email addresses, phone numbers was stolen, along with details of prescriptions and the reasons for those prescriptions.
The company has since gone into administration and liquidation. It has been unable to identify specific impacted individuals ‘due to the complexity of the data set’.
“There is serious potential for ongoing harm when personal data is stolen, ranging from identity theft to scams to extortion,” Bush notes.
“We believe the digital economy is as strong as the weakest link and the small business exemptions is that weakest link.”
He says SMEs, like general practitioners and accountants, can hold sensitive personal data and exempting them is essentially leaving a gaping back door open.
“Coupled with the lack of distinction and liability assigned between data controllers and processors, Australian businesses are left confused on who is responsible for what, and what remedial actions must be taken quickly. The industry has waited for the Privacy Act review for five years to set clear expectations and support mechanism to help both large companies and SMEs to meet these expectations.”
“The AIIA supports the updating of the Privacy Act and bringing it into the digital age to support our digital economy,” Bush says.
The AIIA is urging the government to accept recommendations from its own review into the Privacy Act and to insert ‘a clear distinction and liability assigned between data controllers and processors’ – and not be ‘sidetracked by noisy small business lobbyists’.
“The industry is keen to see these protections enacted following five years of government consultations and a multitude of breaches in recent years.
“Smaller businesses, such as smaller professional services, health and accounting firms, often hold highly sensitive personal information. We are concerned about the potential risks if these small businesses fail to safeguard it properly.”
The AIIA also says removing the small business exemption would yield ‘a significant return on investment’ in terms of both public and industry sentiment, and create a more consistent and predictable environment for investment and development in the technology sector.
Interoperability with international privacy frameworks, especially the GDPR, are required, the AIIA says, ‘strongly’ cautioning the Attorney General’s department from deviating from well-established international standards, something it says could lead to confusion and reduced trust in Australia’s privacy regulations.
The Office of the Australian Information Commissioner, which says the MediSecure breach is the largest number of individuals impacted notified to it under the Notifiable Data Breaches scheme (which provides for fines of up to $50 million or 30 percent of a company’s adjusted turnover), also used news of the breach numbers to further its calls for privacy changes.
Privacy Commissioner Carly Kind says the coverage of Australia’s privacy legislation lags behind the advancing skills of malicious actors.
“Reform of the Privacy Act is urgent to ensure all Australian organisations build the highest levels of security into their operations and community’s personal information is protected to the maximum extent possible.”