Disclosure, particularly with respect to the privacy of customer data, should be necessary and transparency is important for the public and oversight commissions as adversary attempts against agencies are ever increasing. Everyone can learn from attacks when they’re disclosed and shared – trusted circles of disclosure often exist in private sector industries, and agencies and state-owned corporations would also benefit from this collaboration. Holding agencies to similar standards as the private sector also makes sense – as private companies would be beholden to the Privacy Act and any breach of law.
There has been a lot of ambiguity around what constitutes a ‘significant enough’ breach, ‘when’ notification needs to occur, and how it can be determined that no personally identifiable or healthcare data was accessed. Knowing where your data is, who or what has access, and taking steps to prevent access is key regardless as the consequence affects us all.
Being judged by the court of public opinion through the media is grueling regardless of how well a response to an incident is handled. Doubling down on ‘containment’ and ‘mitigating damage’ is critical, as it demonstrates a shift in focus from cyber defence to limiting the damage of attacks once they inevitably occur. A focus on ‘preparation’ and ‘proactive’ behaviours rather than just reactive ones will limit the occurrences and effort in meeting the obligations laid out in the new scheme.
I believe, defining your protect surface, with an inside-out strategy, is the realistic approach that will lead to achieving better long-term cyber resilience. Agencies should feel supported in their efforts, thus reducing how often they need to disclose as they become more effective in avoiding unnecessary breach damage.
