This week has seen Australians exposed to a pair of significant incidents that may have led to personal data being disclosed. Earlier this week, we learned that the Commonwealth Bank lost backup tapes containing a decade of bank statement data a couple of years ago pertaining to about 12 million customers. And, this morning, we learned that Twitter had an internal process failure leading to the usernames and passwords of 300 million users being stored in plain text. What can learn from these incidents to inform our won incident response.

Next month, the General Data Protection Regulation (GDPR) comes into effect in the European Union. This is probably the most comprehensive set of privacy protections for individuals and is accompanied by the strongest penalties on the planet. So, are we surprised that Facebook has reorganised things so 1.5 billion users, including Australians, will no longer be protected by these tougher regulations?

The European Union has always favoured the protection of personal privacy over the rights of governments and law enforcement to snoop on our data. Their regulations for the protection of Personal Identifiable Information (PII) have been among the strongest in the world. But, new rules, under the General Data Protection Regulation (GDPR) which were adopted in April this year become enforceable on 25 May 2018. What does this mean for Australian businesses?

Early next year, Australian companies will be subject to new laws requiring them to report to the Privacy Commissioner when they suffer a data breach resulting in unauthorised access of personal ideontfiable information. Generally, we think of this as being the result of a breach where a threat actor breaks into systems and steals data. But not all breaches are malicious.