How secure will our Census really be?
"CYBER-security is an agency priority.
"We are implementing continuous monitoring, in a lawful manner, both for our own network and systems as well as contractor systems.
"We look at security controls on a rotating, more frequent basis, identifying vulnerabilities in real time given the changing nature of threats.
"Plans of action and milestones are created and tracked to remediate any concerns.”
You might be mistaken for thinking that these are the words from the Australian Bureau of Statistics (ABS) executive.
Words that serve to assure the Australian public that the public benefit to harvest our personal information from the Census far exceeds the costs of doing so.
That everything is in control. There's nothing to see here or be concerned about.
Although very similar, these words come from the Executive of the United States Office of Personnel Management (OPM) some three weeks before 21.5 million Americans had their records hacked which contained extremely sensitive personal information, including the US Social Security Number.
OPM works very closely with the American intelligence community. Its role includes conducting background investigations for prospective employees and security clearances across government.
So despite this agency being critical to the US national security community with its very large cyber security budgets and capabilities, they were found wanting.
Bottom line is that despite the rhetoric and assurances, OPM was hacked, and hacked bad.
What are your rights if the ABS becomes another OPM and gets hacked?
Well, there is no mandatory data breach (i.e. hacking) notification scheme in Australia. Organisations can go about their merry way without having to tell anyone that their personal information has been hacked.
That would account for around 14% of IDCARE callers this year - not knowing how the compromise of their personal information occurred in the first instance.
All they see is the misuse aftermath - what criminals are actually doing with their hacked information.
The Privacy Commissioner at present almost solely focuses on examining what the entity in question has done in preventing, assessing and responding to a breach.
Each breach is unique and therefore a template solution on what an individual can expect is difficult to determine.
Historically, when the Privacy Commissioner has investigated, outcomes have ranged from civil penalties imposed on the responsible organisation through to enforceable undertakings - again, little is revealed in terms of what individuals can expect.
But the entity in question here, the ABS, is only one side of the equation.
If you are using a device that doesn't have anti-virus to complete the Census tonight, then think again.
If your device is vulnerable because it doesn't have the latest anti-virus protection, then your Census input is vulnerable at your end of this transaction.
To embrace this move, my advice is to embrace anti-virus and do so frequently and don't have high expectations if (or when) your data is hacked.
* Dr David Lacey is a Senior Research Fellow at the University of the Sunshine Coast and Managing Director of IDCARE.