Notification overload: From legislative intent to consumer fatigue

Wednesday
 
27
 
November
1:30 pm
 - 
2:10 pm
Topic
Privacy / Surveillance
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 219
Theme
Leadership & Governance in Cyber Security

Speakers

Victoria Young
Victoria Young

Victoria Young

Victoria Young

Managing Director
Scyne Advisory
David Stocks
David Stocks

David Stocks

David Stocks

Director
Germane Advisory

Synopsis

In Australia, mandatory data breach notification has been a positive reform that has provided consumers with an avenue to protect themselves when their data has been lost or compromised.

After six years of operation, and increasing risk aversion from organisations impacted by breaches, we’re at a point that the originators of this legislation tried to avoid: overnotification. We tell people about data breaches that either present minimal risk, or leave people with few practical steps they could take to counter the risks.

The ALRC and the 2017 Bill’s EM both warn of notification fatigue, but that’s exactly where we’ve ended up. Overnotification may create unnecessary anxiety for recipients, disproportionate administrative burden, and may ultimately generate notification fatigue and cybersecurity complacency.

This session is about how we ended up at this point (from the framing of the bill to implementation), what drives overnotification, and a discussion about what we should do.

The session will have the following format:

  • Describe the thesis up front: we think there's overnotification of data breaches in Australia
  • We'll describe what we believe are the causes of overnotification (conservative legal responses to subjective criteria, pro-consumer political pressure, tragedy of the commons) and give some examples from case studies.
  • We will explore some history about how the current regime came to be, and how the Australian Law Reform Commission and others were live to the risks of overnotification (with several examples and quotes). We'll also cover why we think appropriate levels of notification are important (notification fatigue can reduce the effectiveness of the regime, can be burdensome, and the notification process can distract from other activities important at time of breach).
  • Lastly, we'll make some suggestions for who we could fix this dynamic and address incentives for overnotification (e.g. by reducing subjectivity for common cases)

After this, we'll take questions / comments from the audience - it's a provocative position to take and we'd like to engage in a conversation with the audience about the topic.

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country