Among all the adjectives to describe the legislation, what is most appropriate is to view it as a quarry – land fill comprised of rubbish of which we are asked to believe is something other than what it is.

Since the legislation’s introduction, it’s hard not to argue that Australia’s business landscape hasn’t changed, and the change has come in ways wrapped in compelling drama since the Hayne royal commission turned the finance sector on its head – recommendations to overhaul brokers sector, criticisms of APRA and ASIC, inferred recommendations for criminal prosecution and the beheading of some of the sectors biggest names, theft of our private information and the list becomes a perpetuating damnation of a landscape in demise.

But what of the lawyers, and what must they be thinking amid a farce that is not a lawyer’s picnic, but a legal minefield where every step is death in the offing. The OAIC, in its continued failings, is now unwittingly or otherwise setting itself up for legal suits or class actions the likes of which have not been seen in Australia.

Our personal information is a river of gold that flows deep and lawyers know what a pot of gold the OAIC is leaving at the end of this rainbow.

But from all the negatives, opportunity to learn becomes the essence of progression – and if anything, the need to learn becomes a necessity to future development.

As observers of our own fate, we have learned many organisations continue to fail to understand the law and the responsibilities which they are bound.

Recent statistics released tell us more about our fate and the failure of businesses to understand the law as best represented by the following – almost 25 per cent of all reported data breaches in 2018 impacted only one individual and 85 per cent of those were an individual’s home address, phone number and or email address.

VIEW ALL

What follows is the observation that although many organisations take data breach laws seriously, the underlying paradox continues to be the inability to comprehend the requirement for individuals to face serious harm as a component of the data breach legislation.

Many organisations have self-reported breaches as a result of emails being sent to the wrong person, which of course identifies another glaring error in how the issue is handled – but does it constitute serious harm?

What is abundantly clear is that the number of organisations and the big four banks who have self-reported numerous times continue to repeat their mistakes and remain unaccountable.

The OAIC is the established watchdog charged with overseeing and reigning in the behaviour of organisations to ensure our privacy is protected. We think of watchdog’s as vicious animals who could strike at any time at the threat of attack against its masters; and yet, we have with the OAIC is the complete antithesis – a toothless animal incapable of defending the very house it is meant to protect.

In the past year, what is more evident than before is that the OAIC – regardless of the size of an organisation or breach – continues to fail to act as it should.

The OAIC defends its position and recoils in denial when challenged, but statistical evidence doesn’t lie. In the last year, five data breaches have impacted more than 100,000 Australians. With two of those breaches, more than 1 million were impacted, and yet again, the OAIC failed to initiate a commissioner-led investigation.

No organisation has been fined regardless of the number of breaches. It’s an interesting conundrum we find ourselves in, when the designated watchdog cowers into hiding.

Security in Depth has reviewed many Australian businesses and researched organisations who have implemented incident response plans when the Legislation was first enacted, those that did have a plan in place was 17 per cent – an indication that businesses were ill-prepared. However, it has increased to 36 per cent; what is interesting is when asked if these programs had actually been tested, 9 per cent had conducted incident response tests to see if they worked.

So has anything changed over the last year and are we now safer and better off because of these new laws? The simple is answer is no.

What is clear is an endemic pattern surrounding the failure to understand the laws that are not strong enough and don’t incentivise organisations to change their policies and procedures.

If the government wants to review lessons learned, they should look no further than Europe with the GDPR and the EU Cyber security act.

Australia has much to learn if we are to protect one of our key assets – our data and privacy.

Michael Connory is the CEO of Security in Depth.