For many businesses, security and privacy is an afterthought. By mid-March, that could all change. Australia is set to endure a massive legal shake-up that could see the Federal Privacy Act become a formidable, prescriptive framework requiring scores of businesses to make security and privacy a priority.
The reforms to the Federal Privacy Act will consolidate and toughen Australia’s disparate privacy laws and give the Federal Privacy Commissioner greater powers of enforcement. The changes were recommended in a landmark 2008 report by the Australian Law Reform Commission. In 2011, the federal government announced it would adopt the reforms, which are slated to come into force on 12 March this year.
There are potentially dramatic impacts on the technology sector which, up until now, has had little legal obligation to beef up security and privacy controls.
“Right now, organisations are beholden only onto the pressure from customers and partners to improve their security posture and prevent breaches,” says Bob Robson of Melbourne-based security reseller and consultancy IPSec.
“And those organisations that are penetrated could simply sweep it under the carpet.”
The reformed Act introduces requirements and obligations for government agencies and organisations with revenues above $3 million to better protect customer information. It demands that these organisations make clear to customers when their data will be collected, where it will be stored and how it will be used. Any changes to the use of data must be made clear to all affected customers.
It requires organisations take complete responsibility if their offshore cloud providers are breached, resulting in a compromise of customer data, unless those providers agree or are lawfully required to comply with the new requirements of the Australian Privacy Act. Checkbox compliance could be a thing of the past; after March, organisations could be required to not only purchase security tools, but allocate resources to properly configure and monitor them for aberrations that indicate hackers are inside a corporate network.
At the extreme, we could see supermarket rewards schemes such as flybuys have short URLs printed on receipts that point shoppers to the program’s privacy schemes and checkbox to opt in or out.
READ MORE:
• The new Privacy Act means opportunities for ‘trusted advisors’
• Sponsored column: What the new principles mean
Government guidance
The conservative federal government could opt to mandate the reform’s sister legislation, the shelved Privacy Alerts Bill 2013, which requires mandatory data breach reporting. This would shine a light on cyber theft for all to see; if hacked, a business could be forced to apologise in national newspapers for not having invested enough in security – and fined up to $1.7 million for serious breaches.
Robson points out that the reforms may be less prescriptive if the Office of the Australian Information Commissioner (OAIC) is more flexible in the new laws’ security requirements. There is lack of clarity on the interpretation of what are ‘reasonable steps’ to secure customer data.
Despite the release of the official guidance from the OAIC, the real-world impact remains vague. Laureen Smith, Asia-Pacific vice-president at file sharing software vendor Workshare, says one weakness of the legislation is that “unlike foreign policies regimes... there is no distinction between a ‘data controller’, one who controls and collects the information, and a ‘data processor’, one who holds and processes information on behalf of the ‘data controller’.
“In foreign privacy policies, limited obligations are placed on the ‘data processor’, while within the Australian legislation there still is an element of uncertainty in the allocation of risk. This makes it particularly challenging when selecting a cloud provider, as the extent of non-compliance risk that rests on the cloud provider and that passed back to the customer is unclear.”
While plenty of questions remain, it is clear that only a brave organisation would risk doing nothing to prepare for the reforms. And here is where opportunities for the channel exist. If the government takes a hard line, IPSec’s Robson says “there could be a flood of purchasing of security gear by organisations”.
Next: Risks and opportunities
The Privacy Act has been dear to the heart of Nick Verykios for some time. Around 15 years ago, the managing director of Sydney-based Distribution Central (DC) published a white paper on Australia’s privacy laws. He sees the reforms as a great risk to organisations that collect large volumes of unstructured customer information for use in big data analytics.
But for the reseller market, the reforms could be a potential cash cow for those with the savvy to become trusted advisors and help their clients prepare for the changes. “From a channel perspective, [the reforms] are an opportunity for our resellers to not just talk about the Privacy Act but to sell technology that is relevant to the changes of the Act,” Verykios says, adding that the “money will flow” into security technology once the reforms set in. “And suddenly there’s an opportunity to sell services that keep those technologies legitimate.”
He sees organisations’ use of unstructured data as a big opportunity for the channel, particularly in the government sector. “Unstructured data tends not to be policed very well in organisations and the government is capturing the largest amount of unstructured data.”
In the world of unstructured data, the conversation as it relates to the reforms has moved from a “battle of the minds” of compliance to a hard binary question: has the data been classified and can it be collected? DC’s partners are telling clients that not only do the reforms require policy reviews, but also the ability to demonstrate that an organisation knows where all its customer data resides. Conveniently, the distie supplies the Varonis data classification platform.
“In the security selling cycle, you can’t just come in after a customer has made a decision – you need to disrupt the cycle. What the resellers are saying is that you can’t hide behind the battle of the minds and dodge legislation that’s been going on for 14 years, the problem needs to be binary.”
With some two decades’ experience in the tech sector, Ronnie Altit is playing it cool. The managing director of Sydney-based Insentra says his company is advising clients on the reforms, but sides with Robson by saying that the channel must wait on advice from the privacy office. “We’re waiting on [commissioner Timothy Pilgrim] on how he will interpret the Act,” says Altit. “Like any legislation, we need to look at intent.”
Rather than spruik fear, uncertainty and doubt by inflating the worst-case scenarios for businesses under the reforms, Altit is educating end users about the importance of having the right policy in place and how they should investigate the possibility of data loss from their organisations. “The biggest opportunity for the channel is in data loss and what’s happening with customer information. Businesses need to be cognisant of the data they store and that’s what we’re talking to them about.”
Varonis regional director Danny Bakos agrees that the channel should avoid selling on ‘FUD’ – fear, uncertainty and doubt. It is a dangerous strategy, as is a failure to preemptively respond to the reforms by advising clients. “The risk to the channel is if resellers don’t educate their customer base and their clients are breached,” Bakos says.
“If a customer’s trusted advisor isn’t giving them the education and uptake of new technology, then the business of the reseller could soon be lost.”
Meanwhile, in the upper floors of Sydney’s Chifley Towers, a small but experienced team of security boffins at HackLabs discuss recommendations for how clients should tackle the looming reforms.
“The introduction of the amendments is finally a tangible, real business impact to educate organisations,” director Chris Gatford says. “Given that an incident can be investigated and there’s a threat of potential fines, this should be enough to get senior management’s attention focused back on security.”
Experienced channel professionals and security chiefs at Australia’s largest organisations agree that a major opportunity of the reforms will be the need for organisations to locate and consolidate customer data and review and write new policies. McAfee Asia Pacific chief technology officer Sean Duca says: “There is definitely an opportunity for the channel to play the role as trusted advisor – they could preach the message of security and focus on awareness, which is more of a cascade effect than a straight focus on what are the core changes.”
Duca has put his channel professionals through three to four years of training to help teach clients good security practices, which includes material on how the reforms might affect different organisations. Preparing for the reforms requires knowledge of the location of customer data and who has access to it, rather than simply buying new technology. “The data protection strategy is about more than just… buying a product and flicking on the switch.”
He echoes the comments of Varonis’ Bakos: “Australians don’t buy products based on pitches of fear, uncertainty and doubt.”
Sydney-based channel company Systemnet has already sent notices to its customers on how the reforms may impact them. Operations manager Bruno Janni says the move was part of becoming a trusted advisor. “We have sent notifications to all of our clients to let them know how the reforms may impact them, and we’ve also met with our product guys about a [burgeoning] insurance policy to cover the risk to businesses.”
Notably, the discussion was driven by the channel to the client; enquiries in the other direction have yet to start. The channel professionals who were contacted by CRN said that, with the exception of their most curious clients, the pending Privacy Act reforms have brought limited enquiries. But that general lack of awareness among customers could be a boon.
Brave new world
Sophos sales director David Sykes says that while customers haven’t phoned in enquiries, the vendor’s channel partners have been planning seminars and programs to raise awareness – and hopefully demand for products and services.
“So our partners say ‘OK, we’ll raise awareness’ but then what is the call to action? If you want to sell, know the answer is not necessarily another [unified threat management box],” he says. “The conclusion I have come to is that the opportunity is to take the legislation as a warning bell; a wake-up call.”
That warning bell is sounding a new possible reality in which breached organisations face large losses in reputation, as well as sales and productivity, especially in the event that the Privacy Alerts Bill comes into play.
“Rather than get worked up about unclear requirements,” Sykes says, “let’s talk about what a data breach may mean to clients.”
He preaches against FUD, saying that any channel professional who pitches sales on the back of a reform scare campaign would be “skating on very thin ice.”
The rubber hits the road
While many clients still need to be warmed up to the issues surrounding the privacy reforms, some of Australia’s largest organisations are already well into preparing for a shake-up.
At one major, critical Australian organisation, IT workers are rummaging through the binary in search of customer data. At the behest of top executives, they are undertaking a mission described by insiders as “mammoth” to identify where their prodigious customer data resides, and who of its many thousands of staff has access to it. This expensive project – detailed to CRN on the condition the staffer and organisation not be named – is in part a response to the potential impact of the privacy reforms.
“It’s a massive privacy reform project,” the source says.
“We are coming to understand what we can and cannot do under the [pending] legislation.”
The project would help the organisation consolidate its vast data sets across channels to offer new services to the public. It would also help to produce a digestible document (“a quick response”) of the organisation’s preparatory works, detailing the state of security around customer data. The experienced security staffer considered this an easy win to appease energetic privacy auditors. “We want to know in terms of our data what’s ethical, moral, legal to do and so on.”
He suggests that the privacy office would lack the resources to conduct large numbers of audits and thus put the new powers under the reform to great effect. But the potential damage from an audit is enough to put fear in the hearts of executives at one of Australia’s biggest retailers. A security staffer, also speaking on the condition he and his company would not be named, says executives feared the auditors while shrugging off the near two million dollar fines.
“The fines were never the issue,” he says. “The biggest fine [for a privacy breach] even in the EU is two million euros, and that’s a drop in the ocean to most of these big guys. The threat was the enforceable undertakings by the Commissioner – it always was.” He attended a function where commissioner Pilgrim stated that such undertakings were his “favourite approach”, possibly said with the knowledge that the costs of compliance could often be considerably higher than the financial penalties for a breach. “Imagine 20 years of audits with a crew of hostile auditors... that threat holds real weight,” said the security staffer.
His employer, a household name, is one of many he says are conducting reviews into where client data resides, how it is accessed and by who. But despite the projects, he says the entire industry is failing to understand the affects of the reforms and has failed to have its questions into the implications answered by the Privacy Office. He says the recent breach of more than 70 million customer records at Target stores in the US was a “big wake-up call” for the Australian industry, which he describes as being short-sighted.
“Businesses are motivated by making money, not by implementing best practice. We’ll have to wait and see what the Commissioner does, but no doubt there’s money to be made.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
