Helaine Leggat, head of cyber law at Sladen Legal, told iTWire in response to queries that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".
Since 19 June, PageUp People has kept mum about the breach, having revealed very little about it prior to that as well, after first breaking the news of the breach on 6 June. The company has said it first noticed the intrusion on 23 May.
Leggat pointed out that in the US, from as early as 2015 after the promulgation of the Cybersecurity Information Sharing Act (CISA Legislation), "the authorities, including LEA (Law Enforcement) were saying that the victims of crime should not be punished. I have heard (Australian Cyber Security Centre chief Alastair) MacGibbon say the same thing here in 2018".
Leggat said there could be many reasons why the authorities were keeping quiet and protecting PageUp People.
"We are no doubt dealing with crime/criminal organisations wrt the breach," she said. "The UK authorities are also involved. Remember, there are Mutual Co-operation laws where countries like Australia and the UK agree to work together to assist one another. If too much information is made public, it does not help in an investigation."
She pointed out that in the case of the Singapore Privacy Law, there was no obligation to report a breach.
Asked whether there was a requirement for PageUp to provide full details of the breach to the public, Leggat said there were various provisions of the law that gave authorities an out.
She said she suspected that "full disclosure in this case will not be helpful to Australian interests in the fight against crime".
But Leggat said that "from a trust and company risk/reputation point of view, one would think that PageUp People would want to communicate more frequently. (I recommend Crisis Communications Policies, among other things).
"It is complex and we do not have the answers. Bear in mind the broader aspects of privacy. While Australia does not have a Tort (private action) of privacy, it does recognise privacy as a human and civil right – Refer to the Preamble of the Privacy Act 1988.
"There are all sorts of legal causes of action that can arise in a case such as this, including, contractual actions (PageUp with its clients, service providers etc), Breach of Confidence, negligence, shareholder actions etc. The biggest mistake people are making is to look narrowly at the NDB Scheme."