NSW workers and residents may be unaware personal data has been stolen or public services have been hacked because there is no legal requirement the state government tell them about cybersecurity breaches, Unions NSW is warning.
In a submission to a NSW upper house premier and finance committee inquiry into cybersecurity, the union peak body said that as the largest employer in the country the NSW government need to be compelled to be more transparent about the state of its cybersecurity ability.
“Without mandatory reporting requirements we have no idea about the extent of NSW’s cybersecurity problem,” said Mark Morey, secretary of Unions NSW. “Voluntary reporting schemes don’t work. We don’t let restaurants say they’re clean we inspect them and report illness outbreaks. We need to do the same when it comes to keeping our data protected.
“We have a right to know if the government is up to the job of keeping our data safe and secure.”
In April, Service NSW was hit by a phishing attack that took more than 500,000 documents and left 186,000 people exposed.
Service NSW holds incredibly sensitive information, including drivers’ licences, registrations for guns, cars and births, as well as details about businesses and properties.
“In April we saw 186,000 people left exposed when Service NSW was attacked by a phishing scheme. But that’s just what we know about.”
Unions NSW is calling for legislation that will compel agencies to report serious data breaches to a designate cyber agency.
“NSW needs designated cyber cops, who can protect our data and digital assets. The rest of the world is moving on this, and our government’s inaction means we’re at risk of being caught with our pants down.
“The government spent $3.8 billion on cybersecurity in 2017-18. We can’t keep throwing cash at this problem and hoping it’ll go away – we actually need to invest in sustainable, permanent cybersecurity jobs to get ahead.”
NSW’s peak trade union body, which represents 600,000 union members across NSW, also wants to see the NSW government lead the way on assuring data rights to its employees. This includes legislating against the government selling the data of its employees.
“Data is the new oil. We need to make sure that the private details of NSW public sector workers don’t end up treated like a commodity.
“The data of NSW public sector workers should remain in NSW. COVID-19 showed us how exposed offshoring leaves us – it’s time to bring NSW’s cybersecurity in house and back home.”
