How Can We Stay Safe After Data Breaches? Step 1 is to Change the Cybersecurity Laws
Last week, Australian airline Qantas announced that cyber attackers had accessed personal data about some of its customers, affecting approximately 5.7 million records. The attackers targeted an offshore IT call centre, which enabled them to gain access to a third-party system.
The company contacted affected customers shortly after the announcement and sent a follow-up email a week later. While this response may seem adequate, it raises questions about the need for stronger cybersecurity laws to prevent such breaches from happening in the first place.
Adequate Response or Lack of Action?
The Qantas breach is not an isolated incident. Australians have experienced similar data breaches in the past, including the 2022 Optus Breach and the 2024 Medisecure Hack. While these incidents may seem like isolated events, they highlight a broader issue with cybersecurity laws.
The email sent to affected customers by Qantas includes a section titled "What steps can I take to protect myself?" This part of the response encourages users to stay alert, use two-factor authentication, and visit IDCARE's Learning Centre. While these suggestions are helpful, they place a significant burden on the customer.
Is this approach fair or useful? Rather than just trying to protect ourselves after data breaches, we might be better off focusing our attention on why breaches occur and the legislators who make the rules for the companies that hold our data. It's time to rethink our response to data breaches and focus on prevention rather than reaction.
The Need for Stronger Cybersecurity Laws
Australia's cyber security law has been strengthened recently with the introduction of the Cyber Security Act 2024, which includes the establishment of the Cyber Incident Review Board. This board will make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of future cyber security incidents.
However, experts argue that focusing solely on breaches themselves prevents us from concentrating on prevention. US privacy scholars Daniel Solove and Woodrow Hartzog point out in their 2022 book Breached! that "data privacy law has an obsession with data breaches." This obsession has been the primary reason why the law has failed to stop the deluge of data breaches.
A More Effective Approach
Instead of relying solely on post-incident responses, we need legislation that focuses on prevention. This would involve requiring companies to conduct audits, provide legally binding safety checks applicable to all relevant stakeholders, and impose penalties for non-compliance with these standards.
By focusing our attention on lawmakers rather than immediate responses, prevention becomes a possibility. We don't have to accept the eternal pattern of panic, anger, and complacency that follows each data breach. It's time to break this cycle and take a proactive approach to protecting our personal data.
A Future Without Breaches
The Qantas breach is a wake-up call for all Australians. It highlights the need for stronger cybersecurity laws that prioritize prevention over reaction. By working together, we can create a future where data breaches are a thing of the past.