Data Breach Detection And Mandatory Notification Data Breach Laws In Australia
Data Breach Detection
Data Breach has become very much common in the world where everything is connected to internet technology. With the increasing use of technology by various institutions, the probability of data breach has enhanced. In the coming time, data breach will increase to higher numbers especially when the technologies such as Internet of Things are emerging and being widely used (Kenkre, Pai and Colaco, 2015, 405-411). It is also found that there are large numbers of people who do not have sufficient knowledge about the data breach and the way in which it can be protected. Identifying a data breach is not easy and requires a detailed knowledge about the way in which it can be found out. There is a mandatory data breach notification law in Australia. This essay analyses about the strengths and weaknesses of mandatory data breach notification laws in Australia. It also gives the technical overview of the way in which breach can be detected as well as provides example of the signature based detection of data exfiltration. In the last section the General Data protection regulations in Australian cyber security in context of international anarchy has been discussed.
Data breach detection is very much necessary especially in the environment where the amount of risk carried by the loss of data is very high. It is very hard to detect the data breach. Data protection techniques are very much difficult when compared with techniques of data protection. It is even sometimes difficult to know that data breach ever happened (Uddin, 2013, 97-105). There are various examples where breach has been detected long after it actually occurred. As per the Ponemon Institute, Cost of a Data Breach Study has suggested that breaches such as Privilege misuse that includes either external or internal threat actors, POS intrusion, cyber-espionage may sometimes takes longer than a month to be get detected. The study illustrated that average numbers of days taken to discover a breach is 191 (Liao, et. al., 2013, 16-24). It is difficult to keep a watch on the business data on the daily basis and look for signs of misuse.
In this law enforcement such as data protection laws, fraud protection and third party discovery acts as an internal method to detect the breach (Patel, 2013, 25-41). Recently the breach of credit cards at the fast food chain Sonic showed that the company was able to detect the breach from their credit card processor when firm noticed unusual activity on cards using Sonic Customer payment.
It is to be noted that monitoring of data is done on real –time where patterns especially of the unauthorised access is watched. They also look for the symbols of that are sets of queries that cut across several domains i.e. diverse units or business departments. They also look for the dig that is unusually deep in scope or depth. When similar queries are made against the data, the query’s source is first checked for authentication and then only it is honoured (Meng, Li and Kwok, 2014, 189-204). It is seen that most of them are legitimate, and this small delay can have impact on everyone. It is beneficial in the case when unauthorised penetration attempts are made. Detection can also be done by checking the fact that normal data consumers almost every time asks for information in the pieces that can be managed, and not in huge quantity (Casas, Mazel and Owezarski, 2012, 772-783).
Strengths and weaknesses of mandatory data breach notification laws
Data protection needs multiple layers of defence, extra-ordinary IT hygiene i.e. systems are updated and patches used in a formal, controlled and rapid manner, access and logs audit trails are kept and verified for issues at the same time (Islam and Rahman, 2011, 1-8).
The government of Australia has overhauled its privacy legislation by introducing new protections which are designed to address issues in the digital age. The Notifiable Data Breach (NDB) Scheme imposes data breach notification obligations on many organisations. The key strength of mandatory data breach notification law is that it has amended the Australian Privacy Act 1988 which require organisations such as Australian government agencies, not-for-profit organisations, private organisations with an annual turnover of $3 million or more, TFN recipients, credit reporting bodies, and health service providers to made disclosure of any potential data breach (McLean 2018). It is strength because it enforces these organisations to make mandatory disclosures and take proactive actions to ensure the data security of their customers. For example, this scheme records 242 incidents in its first quarter which prove its effectiveness in promoting data security (Chapman 2018). It enforces organisations to investigate if they suspect an eligible data breach within 30 days. It means that they have to start investigating into the matter right after they suspect any issue which increases their obligation and contribution in the process to ensure that the government is able to hold them accountable if they did not take appropriate measures to ensure data security of customers.
It requires corporations to make a disclosure even if they simply believe that a breach has occurred. It is strength because it puts obligations on the companies rather than considering them a victim of cyber-attacks. It also required them to be proactive, and failure to comply with these policies attracts a fine up to $2.1 million under the privacy legislation (Lennon and Odendaal 2018). However, there are certain weaknesses in these new regulations. The key weakness is that it did not cover state government agencies because they are governed under their state’s own privacy laws under which they did not have to make mandatory data breach disclosures. For example, Australian Taxation Office and Centrelink used MyGov system for voice identification technology along with other electronic ID systems. Section 109 of the Constitution overrides the state law and upheld the federal law of NDB, however, states did not have to comply with this law, and they can continue to comply with state’s own privacy law which is a major weakness (Kleinman 2016). NDB also did not provide provisions for making a mandatory announcement if non-personal data of information is violated. It only provides policies in case personal data of customers is breached. Moreover, corporations can deny that they were not aware of the breach due to which they can avoid making mandatory disclosure or investigating the breach to eliminate the data breach which is its weakness (Covata 2018). It is difficult to prove that the corporations were aware of the data breach, yet they did not take necessary steps for notifying appropriate authorities or conducting an investigation in the matter which shows a major weakness of these regulations.
The Notifiable Data Breach Scheme
This Law was applied under the privacy act with the name NDB scheme which got applied on 22 February 2018 to all the firms and agencies with existing personal information security obligation. It was instated by passage of privacy amendment act 2017 (Smyth, 2012, 159). This is a beneficial scheme as it obligates the firms to notify the individuals whose personal information was included in the data breach which is likely to result in serious damage. This notification involves the suggestions about the things that individuals must take in response to breach. The Australian Information Commissioner should be informed about eligible breach of data. It must be complied by institution such as Australian Government agencies, non-for-profits and businesses organisations have an annual turnover of $3 million or higher than that, providers of health services, TFN recipients, and credit reporting bodies.
Data breach examples that must be notified are:
- A device having consumer’s personal if gets stolen or lost.
- Hacking of the database having the personal information.
- Personal information is given to the incorrect person due to mistake.
This helps the concerned person to know about the data that is breached. At the same time this is beneficial as the person can take immediate actions to secure their data. It makes companies pro-active and do not let them play a victim card but it is also to be noted that states are not bounded to apply this law hence many of them have not instated this. Any law that is not uniformly used may not prove to be effective (Weber and Studer, 2016, 715-728). It is also to be noted that since proving that company was aware of data breach is difficult hence increases the chance that data breach information will never reach to the actual victims.
There are various ways in which breaches can be detected. Security information and event management technology can be utilised to rely primarily on signatures to find undesirable behaviour. Signature based detection is one of best ways in which data breaches can be detected.
Signature matching and session behaviour mapping when used together, act as a very much effective technique for detecting application traffic. Signature based detection resolves the major challenge in detecting data exfiltration. In this adversarial behaviour efforts are used for masking patterns to make them look ordinary to prevent detection. Signature based detection works as a scanner where they search for known identity or signature for every individual intrusion event (Jamshed, et. al., 2012, 317-328). To remain in touch with the changes in the hacker’s technique, it acts like anti-virus where it depends on receiving regular updates on signature. It effectiveness is highly dependent on the amount of data stored in the database of the signatures that are pre-stored.
In order to understand the working of signature based detection system it is essential to understand that this system works on pattern of threats. This can be understood by the example illustrated below.
Suppose an E-mail including an attachment having a malware that is previously known containing interesting subject like “I miss you” comes. A remote login by admin users clearly illustrates that it is a violation of the organisational policy. When an email is sent it passes to firewall where it gets distributed to two paths. One goes to the corporate LAN network where the concerned person or the email-address on which the mail has been sent receives the email. At the same time that Mail is also gone to the “Signature based Detection System” which checks all its pre-stored signatures to check whether it is an data breach attempt or not. If the signature matches then it generates the alert message that data breach attempt was made. It may take time as matching process takes time. The signature to file will be generated as:
Weaknesses of the Notifiable Data Breach Scheme
Header: IPv4 Protocol: HTTP Destination Port: 80 Signature String: “I Miss You”
If there is even the small variation in the signatures the threat will not be detected like if even “miss you” comes threat may not be detected. Signatures have to be updated on regular basis. It also offers exact detection of the known threats by comparing the network traffic with the threat signature database (Dhage, 2011, 235-239). Detection can be improved if the network traffic within the network can be enabled to learn specific patterns hence reducing false positives.
Figure 1: Intrusion Detection and Prevention Systems
(Source: Rao and Nayak 2014)
The number of data breach attacks has increased globally which is negatively affecting many individuals, organisations and governments. The Australian government has implemented various laws to address the challenges relating to cyber security to ensure that the data of individuals and organisations are protected from unauthorised access. The Notifiable Data Breach Scheme is a good example which is targeted towards eliminating the number of incidents involving data violation of parties. This is a positive step taken by the government to ensure that organisations take data breach seriously, and they take appropriate precautionary measures to ensure that their data security system is strong and their information is protected from unauthorised access (Solomon 2017, 16). Based on this law, the government has implemented mandatory policies on organisations which also include government agencies to ensure that they made notification even if they simply believe that their data might have been violated.
The risk of Hacktivism attacks is also increasing especially on political parties and agencies in which they collect their private data to leak it publically. Hacktivism is referred to the act of misusing a computer system or hacking to convey a social or political message. Hacktivists are individuals who perform Hacktivism, and they take these steps to bring into the attention of the public what they believes is important such as human rights, freedom of expression or others. Many people argue that hacktivists are activists for specific group, whereas, they are considered as terrorists by others. Therefore, implementation of the Notifiable Data Breach Scheme is a good step taken by the Australian government towards ensuring that organisations take precautionary measures, and they remain active in order to ensure that customer and their data is protected from cyber-attacks (Slocombe 2018, 30). On the other hand, General Data Protection Regulations (GDPR) are implemented in the EU law in order to protect data protection and privacy of all individuals living in EU and European Economic Area. Australian companies which operate their business in European Union have to comply with these laws (Carey 2018). An upcoming legislation implemented by the government called Australian Government Agencies Privacy Code, and the Notifiable Data Breach Scheme is similar to GDPR because they focus on encouraging businesses to become more transparent. Implementation of GDPR will increase the responsibility of corporations when they collect users’ private data, and they have to ensure that appropriate measures are taken by them for the security of user data. The strengths of GDPR are that it promotes organisational awareness and increase transparency in multinational companies which collects user data. Therefore, the Australian government has taken various necessary steps for ensuring that cyber security of user data; however, this is not the case in the context of international anarchy.
General Data Protection Regulations in the Australian cybersecurity context
Many nations are serious regarding implementing appropriate policies to ensure that the user data is protected and businesses are held accountable for their actions if they failed to take precautionary measures for ensuring cyber security. European Union is a good example because the introduction of GDPR is a step towards a harmonious system which ensures that the data privacy of individuals is protected (Hornung 2012, 64). The government wanted to ensure that large enterprises such as Google and Facebook which collects substantial amount of user data are taking relevant measures for ensuring the security of that data. The cyber-attacks on social media sites are increasing, and the privacy of their users is breached across the globe. Thus, the government wanted to implement provisions which hold these parties liable to ensure that they are held responsible for their actions when they did not implement appropriate policies to ensure the data privacy of their users. In the case of the United States, the government has implemented various laws for ensuring cyber security. Cyber security Information Sharing Act (CISA) is a good example which is legislation which is enacted by the government to improve cyber security in the United States for encouraging sharing of information (Heidenreich 2015, 395). Similarly, Cyber security Enhancement Act of 2014 is another act which is focused on strengthening cyber security research and development and increasing public awareness. However, these policies are not enough to ensure that the organisations are held accountable for not taking appropriate actions to enhance their cyber security policies.
These regulations are weak as compared to GDPR and the Notifiable Data Breach Scheme which are more effective when it comes to ensuring that corporations notify when they simply believe that their data has been violated. It promotes a culture which embraces and reinforces cyber security policies to ensure that the online safety of users is maintained and their data is protected from cyber criminals as well (Harries and Thomson 2018, 9). Other countries such as Indonesia, India, China and others have failed to implement appropriate policies to ensure that cyber security is protected in the country. These countries have not implemented appropriate provisions for taking cyber security more seriously, and they did not prefer to put accountability on organisations if they suffer a cyber-attack (Johnson et al. 2014, 089-116). Until proper accountability is imposed on corporations, the mandatory compliance with cyber security policies will be substantially difficult. The privacy of individuals will continue to breach due to the fault of enterprises that failed to ensure or notify when a data breach occurred (Uma and Padmavathi 2013, 390-396). Therefore, in the context of international anarchy, Australia is one of those countries which have understood the importance of cyber security. Australia stands out from other countries because they did not enforce their corporations to make mandatory disclosures. They focus on securing their economy rather than security of their citizens. Other nations did not enforces domestic or international organisations to take precautionary measures because it can negatively affect their relationship, therefore, Australia stands out than compared to other nations (Lukie 2018, 40).
Conclusion
In conclusion, the risk of breach of data privacy and data theft has increased across the globe. Cyber criminals are targeting organisations to gain unauthorised access to their confidential data which resulted in violating the privacy of their users. The corporations can use different ways to detect data breach; however, these techniques are not effective in detecting the data violation. Organisations have to put great efforts into using these techniques because they are time-consuming and they resulted in increasing overall costs of enterprises. The Australia government understands the importance of data theft issue, therefore, it has implemented Data Breach Notification law which makes it mandatory for companies to notify if they believe that their data has been violated. The strengths of these policies are that they promote precautionary actions and force corporations to investigate in order to find vulnerabilities. Weaknesses of these policies are that they did not apply on certain state-owned departments such as ID verification and it is difficult to prove that corporations were aware about the breach which make it difficult to implement these policies on them. While implementing intrusion detection and prevention system, organisations can implement Signature-based detection method which is highly effective because it assists them in learning specific patterns to detect the threat. The mandatory disclosure laws implemented by Australia is effective than compared to other nations because it puts pressure on companies to take precautions and enforces them to conduct an investigation within a reasonable time which other laws did not enforce. Therefore, these laws are more effective due to which Australia stands out than other countries.
Reference:
Carey, Peter. 2018. Data protection: a practical guide to UK and EU law. Oxford University Press.
Casas, Pedro, Johan Mazel, and Philippe Owezarski. 2012. “Unsupervised network intrusion detection systems: Detecting the unknown without knowledge.” Computer Communications35, no. 7: 772-783.
Chapman, Catherine. 2018. “Australian data breach scheme proves a tentative success”. The Daily Swig. Accessed November 8, https://portswigger.net/daily-swig/australian-data-breach-scheme-proves-a-tentative-success.
Covata. 2018. “Most Australian organisations aren’t ready for the Notifiable Data Breaches scheme”. Covata. Accessed November 8, https://covata.com/media-releases/most-australian-organisations-arent-ready-for-the-notifiable-data-breaches-scheme-but-its-not-too-late/.
Dhage, Sudhir N., B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, and A. Misra. 2011. “Intrusion detection system in cloud computing environment.” In Proceedings of the International Conference & Workshop on Emerging Trends in Technology, 235-239.
Harries, Alan, and Cathy Thomson. 2018. “Cyber risk.” Agent, The51, no. 5: 9.
Heidenreich, John. 2015. “The privacy issues presented by the cybersecurity information sharing act.” NDL Rev. 91: 395.
Hornung, Gerrit. 2012. “A General Data Protection Regulation for Europe: Light and Shade in the Commission’s Draft of 25 January 2012.” SCRIPTed 9: 64.
Islam, Md Safiqul, and Syed Ashiqur Rahman. 2011. “Anomaly intrusion detection system in wireless sensor networks: security threats and existing approaches.” International Journal of Advanced Science and Technology 36, no. 1: 1-8.
Jamshed, Muhammad Asim, Jihyung Lee, Sangwoo Moon, Insu Yun, Deokjin Kim, Sungryoul Lee, Yung Yi, and KyoungSoo Park. 2012. “Kargus: a highly-scalable software-based intrusion detection system.” In Proceedings of the 2012 ACM conference on Computer and communications security, 317-328.
Johnson, Joseph, Susan J. Lincke, Ralf Imhof, and Charles Lim. 2014. “A comparison of international information security regulations.” Interdisciplinary Journal of Information, Knowledge, and Management 9: 089-116.
Kenkre, Poonam Sinai, Anusha Pai, and Louella Colaco. 2015. “Real time intrusion detection and prevention system.” In Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2014, 405-411.
Kleinman, Leonard. 2016. “Hidden challenges emerge as data breach notification laws finally hit Australia”. AFR. Accessed November 8, https://www.afr.com/technology/web/security/hidden-challenges-emerge-as-data-breach-notification-laws-finally-hit-australia-20161125-gsxnri.
Lennon, Jim and Edward Odendaal. 2018. “Data breach notification to become mandatory in Australia from 22 February 2018”. Data Protection Report. Accessed November 8, https://www.dataprotectionreport.com/2018/02/data-breach-notification-to-become-mandatory-in-australia-from-22-february-2018/.
Liao, Hung-Jen, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung. 2013. “Intrusion detection system: A comprehensive review.” Journal of Network and Computer Applications 36, no. 1: 16-24.
Lukie, Mark. 2018. “Lockdown! Time to lock down supply chain risk.” MHD Supply Chain Solutions 48, no. 4: 40.
McLean, Asha. 2018. “Australia’s Notifiable Data Breaches scheme is now in effect”. ZDNet. Accessed November 8, https://www.zdnet.com/article/australias-notifiable-data-breaches-scheme-is-now-in-effect/.
Meng, Weizhi, Wenjuan Li, and Lam-For Kwok. 2014. “EFM: enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism.” computers & security 43: 189-204.
Patel, Ahmed, Mona Taghavi, Kaveh Bakhtiyari, and Joaquim Celestino JúNior. 2013. “An intrusion detection and prevention system in cloud computing: A systematic review.” Journal of network and computer applications 36, no. 1: 25-41.
Rao, U.H. and Nayak, U. 2014. “Intrusion Detection and Prevention Systems”. Springer Link. Accessed November 14, https://link.springer.com/chapter/10.1007/978-1-4302-6383-8_11.
Slocombe, Geoff. 2018. “World’s largest publicly revealed distributed denial of service attack.” Asia-Pacific Defence Reporter (2002)44, no. 3: 30.
Smyth, Sara M. 2012. “Does Australia Really Need Mandatory Data Breach Notification Laws-And If So, What Kind.” JL Inf. & Sci.22: 159.
Solomon, Andrew. 2017. “New mandatory data breach notification laws.” Superfunds Magazine 428: 16.
Uddin, Mueen, Azizah Abdul Rahman, Naeem Uddin, Jamshed Memon, Raed A. Alsaqour, and Suhail Kazi. 2013. “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents.” IJ Network Security 15, no. 2: 97-105.
Uma, M., and Ganapathi Padmavathi. 2013. “A Survey on Various Cyber Attacks and their Classification.” IJ Network Security15, no. 5: 390-396.
Weber, Rolf H., and Evelyne Studer. 2016. “Cybersecurity in the Internet of Things: Legal aspects.” Computer Law & Security Review 32, no. 5: 715-728.