Finally, Australia has caught up with the rest of the world as data breach notification laws came into effect today.
However, the legislation language fails to highlight data source types and their breach risks – data at rest (systems data) and data-in-motion (network data) – you won’t be forgiven for a network data breach!
Let us remember that a “data breach that may be harmful…” is a breach of unencrypted data!
Today there is no excuse for successful breaches of network unencrypted data – whatever the network type. Whether core infrastructure links such as data centre interconnect, or simply WAN and MAN links – Ethernet or even IP links; any carrying sensitive data should be encrypted- whatever your preferred solution.
And, then there is the issue of what is “harmful” and notifiable. If there is one thing that’s true it is that breaches of unencrypted gigabytes of data from a network link in just minutes or seconds have a strong potential to be harmful!
Despite it taking Australian legislators five years to make amendments to the Privacy Act to address the increasingly serious data breach issues (breaches that have caused business and economic harm in addition to harming private citizens), the mandatory data breach notification scheme, now in effect, does fortunately include one key assurance to those “holding” data that may cause “…serious harm…”.
The detailed guide published by the Australian government includes this statement:
“For example, if the personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.”
By defining data “loss” (the regulations apply to all types of information – data, paper and even verbal communication) in that way, it is clear that lost data that is encrypted (to a recognised standard) is not “lost” data, nor a notifiable data breach under the scheme.
But there is a serious conundrum for “multiple organisations” in possession of data, especially for those using (global, international and local) Cloud and SaaS services that involve multiple data centres in multiple geographic jurisdictions.
In such cases, it’s not hard to realise that data location (and jurisdiction control) and its control is a problematic issue especially when it moves through multiple networks to multiple locations…
Should a network breach occur at any point in the Cloud/SaaS service network architecture, who’s “holding” the data?
The answers lie in the definition of “loss” – sensitive data should always be encrypted! If breached data is encrypted it is not a data “loss”. And today that solution is not hard.