More of our personal data is now collected and stored online than ever before in history. The increase in data breaches should disturb us all.

On an individual level, data breaches can compromise our privacy, harm our finances and mental health, and even enable identity theft.

For organizations, the repercussions can be just as severe, often leading to significant financial losses and brand damage.

Despite the growing importance of protecting our personal information, it remains fraught with challenges.

As part of a in-depth study data breach reporting practices, we surveyed 50 senior executives working in information security and privacy. Here’s what they told us about the multifaceted challenges they face.

Learn more:
The Australian government has introduced new cybersecurity laws. Here’s what you need to know

What does the law actually say?

Data breaches occur whenever personal information is accessed or disclosed without authorization, or even lost. Optus, Medibank And Cloth have all experienced high-profile incidents in recent years.

Under Australia privacy lawsorganizations are not allowed to sweep major cyberattacks under the rug.

They must notify both the regulator – the Office of the Australian Information Commissioner (OAIC) ​​– and any affected person of breaches that may result in “serious harm“.

But according to the organization leaders we interviewed, this poses a tricky question. How do you define serious harm?

Interpretations of what “serious harm” actually means – and how likely it is to occur – vary widely. This inconsistency can make it impossible to predict the specific impact of a data breach on an individual.

Victims of domestic violence, for example, may be at increased risk when their personal information is exposed, creating harm that is difficult to predict or mitigate.

Enforce the rules

Respondents were also concerned about the regulator’s ability to provide guidance and enforce data protection measures.

Many have expressed the impression that the OAIC is underfunded and lacks the power to properly impose and enforce fines. The consensus was that the challenge of protecting our data was now beyond the power and resources of the regulator.

As one information security manager at a publicly traded company said:

What’s the point of having speeding signs and cameras if you’re not going to ticket anyone?

A lack of enforcement can discourage organizations from investing in strong data protection.

Just the tip of the iceberg

Data breaches are also underreported, especially in the business sector.

A senior cybersecurity consultant at a large multinational company told us that companies have a strong incentive to downplay or cover up breaches, to avoid embarrassment.

This culture means that many violations that should be reported simply aren’t. One senior official estimates that only about 10 percent of reportable violations end up being disclosed.

Without this fundamental transparency, the regulator and those affected cannot take the necessary steps to protect themselves.

Third-party violations

Sometimes when we give our personal information to one organization, it may end up in the hands of another organization that we didn’t expect. Indeed, key tasks – notably database management – ​​are often outsourced to third parties.

Outsourcing tasks can be a more efficient option for an organization, but it can make protecting personal data even more complicated.

Respondents told us that breaches were more likely when using third-party vendors because it limited the control they had over security measures.

Between July and December 2023 in Australia there was an increase of more than 300% of third-party data breaches compared to the previous six months.

There have been some high-profile examples.

In May this year, many Clubs NSW customers had their personal information potentially violated via an attack against third-party software provider Outabox.

Bunnings suffered a similar violation at the end of 2021, via an attack against the planning software provider FlexBooker.

Get the basics right

Some organizations still struggle to master the basics. Our research found that many data breaches occur because outdated or “legacy” data systems are still in use.

These systems are old or inactive databases, often containing enormous amounts of personal information about everyone who has ever interacted with them.

Organizations tend to keep personal data longer than the law requires. This may be due to confusion about data retention requirements, but also the high cost and complexity of securely decommissioning legacy systems.

A privacy officer at a large financial services institution told us:

In an organization like ours, where we have more than 2,000 existing systems (…) the systems do not communicate with each other. They don’t come with big red delete buttons.

Other interviewees pointed out that risky data testing practices are widespread.

Software developers and technical teams often use “production data” – real customer data – to test new products. This is often faster and less expensive than creating test data sets.

However, this practice exposes real customer information to insecure testing environments, making it more vulnerable. A senior cybersecurity specialist told us:

I’ve seen it so much across all industries (…) It’s literally real, live information going into systems that aren’t real or real and have low security.

What should be done?

Drawing on insights from industry professionals, our research highlights how complex data protection has become in Australia and how quickly the landscape is changing.

Addressing these issues will require a multi-pronged approach, including clearer legislative guidelines, better enforcement, greater transparency, and robust security practices for the use of third-party vendors.

As the digital world continues to evolve, our strategies for protecting ourselves and our data must evolve as well.