Privacy regulation and data breach response system effectiveness

The breach of personal information continues to impact many millions of people every year. Government regulation in this environment prioritises reporting to regulators and separate reporting to notified persons where serious harm is assessed as likely. Since the 2018 reforms in Australia, there has been a proliferation of market participants that influence how notifiable breach events are managed and their effectiveness in actually treating risks of serious harm, including law firms, insurers, public relations consultants and cyber forensic firms. It is a heavily conflicted space where the breached organisation assesses the risks to impacted persons often absent of an intimate understanding of the personal circumstances and real risks confronting each individual. Advising specialists are also conflicted, often serving only the interests of the breach entity or the insurer. How this breach response market has evolved and its influence in addressing the wicked problem idealised in the conception of notifiable breach regimes is not well understood. What we do know with confidence is that breaches continue to occur at spectacular scale, serious harm is experienced, and a market is being conditioned on a regulatory requirement which may or may not be making a real difference to those actually impacted. How governments are responding tends to be more in relying on the actual collection of the data breached in order to place controls with or without the knowledge of the breached person. The effectiveness of this is also not well understood.

Research in this field needs to contribute to all of these questions but should have a general focus towards examining the broader concept of ‘effective breach response’. Effectiveness may be a strict legal compliance outcome, but the orientation towards an assessment of serious harm risks, notification strategies, impacted person needs and care are also important attributes that would benefit from closer research attention. The context is nevertheless briming with unanswered questions, including:

RP3.1 In these contexts what is meant by ‘effective’ breach response and from who’s perspective? How effective are these models in supporting or limiting the intent of Parliament in advancing these regulations?

RP3.2 Does comparative analysis across jurisdictions offer new insights as to the effectiveness of particular elements of notifiable breach legal and policy frameworks?

RP3.3 Does the type of breache matter (such as ransomware) or impact effective response? What are the real risks and what affordances exist within the response system to address these risks?

RP3.4 Are notifiable breach regimes that centre upon reporting to regulators the most effective models to respond to the risk of and from breach events? What are the legislative inhibitors to effective beach response? How can effective breach response be achieved if there is asymmetrical understanding of the risks of serious harm?

RP3.5 What effectiveness would a privacy tort have in contributing to preventing or responding to breach events?

RP3.6 Is it inevitable that to mitigate serious harm from a breach event, you have to create it? What are the perils in accumulating breached information and advancing controls on behalf of breached persons in ‘breaching the breached’?

RP3.7 What do notified persons of data breaches really think about breached organisations, the events, and perpetrators?

‍