Contradictions and inconsistencies in Australia's mandatory data breach notification laws

“…This further shifts responsibility for managing risks to the affected individual. From the perspective of breached organizations, the immaturity of the data breach response system, 5 and the absence of mechanisms through which organizations are able or required to assist affected individuals, may further entrench the view that data breach notification is simply another regulatory hoop through which they must jump (Gibson and Harfield, 2021). The substantive objectives of notification are lost; instead, notification increasingly becomes a way to address an identified legal risk (non-compliance with mandatory notification requirements) and to shift responsibility to other parties; other parties who may fall subject to serious victimization as a consequence of the data breach.…”

“…This contemplative essay, born from legal analysis of apparent contradictions in MDBN statutory frameworks (Gibson and Harfield, 2021), has considered the nature of victimization related to identity usurpation arising from data breaches, with particular reference to data breaches achieved through ransomware attacks. A complex landscape of victimization and conflicting interests has been observed, which has informed the presentation here of a taxonomy of data breach victimization.…”

“…(Notification to the relevant regulatory authority is required ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’: Art 33(1).) In jurisdictions such as California where notification of a data breach is required irrespective of harm, this is usually compensated by the fact that ‘personal information’ is defined to include only specific types or combinations of personal information (Cal Civ Code §§ 1798.29, 1798.82; Gibson and Harfield, 2021). Some laws also specifically require organizations to include as part of their notification, advice, or recommendations to affected individuals on the steps they can take to protect themselves from harm (see, for example, Privacy Act 1988 s 26WK(3)(d)).…”

“…Theoretically, prompt action on the part of the victim will reduce the extent of the harm they could suffer. Such a policy approach – the efficacy of which is examined elsewhere (Gibson and Harfield, 2021) – contributes to the normalization of digital victimization (Dupont, 2019; Junger et al, 2017).…”

“…These consequences include amplified victim vulnerability, in part due to the conflict of victims’ interests – specifically, the conflict between the interests of the corporate data-holding victim who experienced the ransomware attack (the breached organization), and the interests of the affected individual (or data subject) whose personal information is compromised in such an attack. Using Australia as a case study of the problems brought into sharp relief, this paper considers the legislated policy response (MDBN laws) intended to mitigate the vulnerability of identity usurpation – a not unproblematic response in itself (Gibson and Harfield, 2021). It then describes the rapid evolution of ransomware and how this has resulted in exacerbated victimization.…”

Amplifying victim vulnerability: Unanticipated harm and consequence in data breach notification policy

“…This further shifts responsibility for managing risks to the affected individual. From the perspective of breached organizations, the immaturity of the data breach response system, 5 and the absence of mechanisms through which organizations are able or required to assist affected individuals, may further entrench the view that data breach notification is simply another regulatory hoop through which they must jump (Gibson and Harfield, 2021). The substantive objectives of notification are lost; instead, notification increasingly becomes a way to address an identified legal risk (non-compliance with mandatory notification requirements) and to shift responsibility to other parties; other parties who may fall subject to serious victimization as a consequence of the data breach.…”

“…This contemplative essay, born from legal analysis of apparent contradictions in MDBN statutory frameworks (Gibson and Harfield, 2021), has considered the nature of victimization related to identity usurpation arising from data breaches, with particular reference to data breaches achieved through ransomware attacks. A complex landscape of victimization and conflicting interests has been observed, which has informed the presentation here of a taxonomy of data breach victimization.…”

“…(Notification to the relevant regulatory authority is required ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’: Art 33(1).) In jurisdictions such as California where notification of a data breach is required irrespective of harm, this is usually compensated by the fact that ‘personal information’ is defined to include only specific types or combinations of personal information (Cal Civ Code §§ 1798.29, 1798.82; Gibson and Harfield, 2021). Some laws also specifically require organizations to include as part of their notification, advice, or recommendations to affected individuals on the steps they can take to protect themselves from harm (see, for example, Privacy Act 1988 s 26WK(3)(d)).…”

“…Theoretically, prompt action on the part of the victim will reduce the extent of the harm they could suffer. Such a policy approach – the efficacy of which is examined elsewhere (Gibson and Harfield, 2021) – contributes to the normalization of digital victimization (Dupont, 2019; Junger et al, 2017).…”

“…These consequences include amplified victim vulnerability, in part due to the conflict of victims’ interests – specifically, the conflict between the interests of the corporate data-holding victim who experienced the ransomware attack (the breached organization), and the interests of the affected individual (or data subject) whose personal information is compromised in such an attack. Using Australia as a case study of the problems brought into sharp relief, this paper considers the legislated policy response (MDBN laws) intended to mitigate the vulnerability of identity usurpation – a not unproblematic response in itself (Gibson and Harfield, 2021). It then describes the rapid evolution of ransomware and how this has resulted in exacerbated victimization.…”

Amplifying victim vulnerability: Unanticipated harm and consequence in data breach notification policy