Data visualisation suggests OAIC will closely monitor breach-notification rampup

Joins growing number of visualisation tools translating security metrics for consumers

A new data-analytics driven portal, launched this week by the Office of the Australian Information Commissioner (OAIC), will support the introduction of breach-notification laws by ramping up the visibility of information related to data breaches and investigations within Australian businesses.

The portal, which has initially been populated with data from the organisation’s latest annual report, offers breakdowns of the volume of privacy-related enquiries, the types of organisations they related to, the volume of requests for Information Commissioner reviews, and more.

A section for analysis of data-breach notifications – 123 of which were received during what information commissioner Timothy Pilgrim called the “pivotal reporting year” of fiscal 2015-16, 107 of which were voluntary – has also been incorporated but remains a work in progress, with a breakdown of the numbers promised “from 2016-17”.

Visual analysis of the OAIC’s activities highlight the rapid growth in demand for OAIC review of privacy-related issues: The OAIC reviewed 67 organisations through 21 separate assessments conducted through the year, including dozens of healthcare bodies investigated during an audit of GP clinics’ privacy policies.

The portal has highlighted the increase in demand for OAIC services, as well as tracking its effectiveness in resolving customer issues. The handling of some 2483 Freedom of Information-related questions, for example, represented an increase of 31 percent over the previous year while the agency received 510 requests for an Information Commissioner review – up 37 percent over the previous year.

“Our successes in both privacy and FOI regulation shows that open government, information access, data innovation and personal information protection are all dependent on a ‘strategically-transparent’ approach to information management,” Pilgrim said in a statement in which he lauded the government’s “actively pursuing the innovation potential of data”.

The pursuit of that potential has been driving a number of security and privacy related visualisations, with efforts such as the Safenet Breach Level Index positioning itself as a visual record of data breaches and the Arbor Networks-sponsored Digital Attack Map, which tracks and maps all manner of distributed denial of service (DDoS) attacks based on their source and target.

The inclusion of a visualization section in the OAIC portal suggests that the agency intends to keep a close eye on the increasing reporting of data breaches in the wake of the eventual introduction of mandatory data breach notification laws, which are still being debated nearly four years after they were first circulated in draft form.

Those laws will increase the compliance burden on businesses and are expected to spur a rush on cybersecurity insurance as well as concerns that a flood of over-reporting could overwhelm consumers who, one 2012 study found, were becoming desensitised to breaches.

Yet consumer attitudes have shifted in the intervening years, with a recent Gemalto study suggesting that most consumers expect businesses to protect data and are unforgiving of those that fail to do so. This could turn the OAIC portal and similar efforts into a consumer resource that fosters more-intelligent decision-making on the part of consumers.

A range of businesses have already invested in better reporting of privacy-related information requests, with regular reporting from companies including Telstra, Reddit, Yahoo, Twitter, Apple, and others.

“The OAIC appreciates the economic and social potential of data,” Pilgrim said, “and that this potential may be best realised when data sets can be reused and built upon. However, a critical condition for realising this potential is retaining community confidence that individual privacy is being protected — an outcome best achieved through a transparent approach to personal information management.”