As breaches continue despite billions spent annually on security, businesses and government agencies can anticipate a surge of class actions and public-interest litigation, a legal academic and policy expert has warned.

Every year Australia’s businesses and government bodies are spending around $21 billion on information security – including a Home Affairs estimate of approximately $17b in costs, along with an annual information-security spend at $3.9b this year according to Gartner figures – yet even this level of expenditure was failing to deliver the security it is supposed to.

“There is no other area of public policy or social policy where such enormous costs are borne by the economy and where we seem to be less safe than more safe,” David Watts, a professor of information law and policy at La Trobe University Law School, this month’s Australian Cyber Conference.

By comparison, he noted, Australia spent $24.1b on Medicare services last year and will this year spend $37.3b on Defence. “After all the money spent on cyber security, why are we not safer?”

Struggling to stand, still

Watts has seen security inefficiency in action firsthand, having served as the Victorian government’s Commissioner for Privacy and Data Protection from 2014 to 2017.

That was a difficult – and transformative – period for Victorian information-security policies after damning 2013 and 2015 Auditor-General Office reports questioning the state’s cybersecurity capabilities and commitment to improvement.

Fully 68 percent of the 2015 audit’s findings were related to IT-security issues – hardly inspiring faith in the state’s information infrasturcture that was also reeling from the findings of a 2015 review that slammed its CenITex shared-services strategy.

A subsequent statewide strategic overhaul drove a period of reassessment that was eventually addressed with the 23-point Victorian Government Cyber Security Strategy 2016-2020, and a $17.6m spend on a whole-of-government cybersecurity strategy last year.

Despite its strategic reinvention, however, ongoing breaches – the recent ransomware shutdown at several regional Victoria hospitals being the latest example – remain everyday occurrences and even reported Notifiable Data Breaches (NDB) statistics are just the tip of the iceberg, Watts said.

Truth or consequences or…?

Watts went on to observe that, despite the recognition of cybersecurity’s significant costs, government was failing to lead by example because its own agencies – Home Affairs included – were struggling to comply with the Australian Signals Directorate’s (ASD’s) Top Four Mitigation Strategies policy, much less the more recent Essential Eight Maturity Model that superseded it.

Self-reporting led to an overinflated sense of security amongst government agencies, with 60 percent reporting Top 4 compliance but a recent Auditor-General review finding only 29 percent were actually compliant.

This posed issues for the protection of personal data, Watts said, with still unresolved tension between the “perverse incentives” of gathering and sharing ever-more personal data for distribution between organisations as the Consumer Data Right (CDR) regime takes hold.

“This means more of your personal information will be held by more and more agencies and you won’t know who,” he explained.

“Why are we pursuing policies which see much more of our information being shared, when the security risk associated with that has not been properly dealt with?”

More stick, less carrot

A general lack of consequences for data breaches – beyond an initial flurry of bad publicity and minimal reputational damage – had so far allowed organisations to accept cybersecurity damages as a cost of doing business.

However, growing outrage over poor security protections would ultimately fuel a surge in other punishments, with Watts flagging a “cocktail of ‘hard’ and ‘soft’ law that can be employed to establish liability and obtain compensation”.

Because there is no specific tort of privacy in Australian law, formal compensation would be guided by Australian Privacy Principle 11 of the Privacy Act 1988 (Cth), which requires taking “reasonable steps” to keep personal information secure.

Yet with an increasing array of security standards fleshing out what those reasonable steps might entail, Watts said, agencies and businesses failing to protect data – and, increasingly, their directors – could increasingly find themselves staring down the barrel of negligence due to a failure to protect from a “reasonably foreseeable” risk of harm.

Misleading-conduct laws could punish corporations that claim to be secure but aren’t, although questions would remain around the quantum of damages.

Many aggrieved parties would struggle to justify commencing expensive legal action to recover potentially small damages, making class action “the most realistic approach” to punishing data breaches.

“The days of security impunity are ending,” Watts said, noting that “in the absence of government action, the vacuum will be filled by class actions and public interest litigation.”

“Perhaps establishing consequences is the only way to make them take the security obligations they owe to individuals seriously.”