Security resellers and systems integrators have revealed the steps they've undertaken in preparation for the data breach notification scheme, set to start on 22 February 2018.
The legislation sets out that if an organisation realises it has been breached or lost data it will have to report the incident to the Privacy Commissioner as well as notify affected customers. The data breach notification scheme and will affect government agencies and organisations governed by the Privacy Act and companies with a turnover of more than $3 million a year.
The notification has to include a description of the data breach, the kind of information involved, and how customers should respond to the security incident. Penalties to organisations and individuals that fail to notify can be fined $360,000 - for individuals - and $1.8 million for organisations.
Sydney-headquartered Sententia has been preparing for the past three years.
"We have established strong relationships and credentials with legal providers and have been working with insurance and legal on cyber readiness programs, audits and assessments and managed security services to meet the requirements of mandatory breach notification," cyber security practice director Tony Vizza told CRN.
Sententia is offering cyber security assessment services to its customers, which include an optional consultation with a cyber law practitioner to allow for a whole of business risk mitigation conversation.
"We also facilitate discussions with cyber breach insurance providers. Cyber breach notification truly is a whole of business conversation and IT resellers and providers need to look beyond traditional ways of thinking to capitalise on the space," Vizza said.
Jon Paior, founder and chairman of Adelaide-based Geek also talked about how the Adelaide-based MSP have been talking to customers about the importance of speaking to insurance professionals on cyber risk. "In most cases, after seeking advice, our customers have felt that self-insuring against this type of risk was not the best option for them."
Geek is preparing information seminars and webinars to present to its clients. "We work with clients to run IT security reviews with our software tools to analyse the type of data they are storing and can often calculate for them a fair estimate of the financial implications of a breach," Paior said.
Diversus Group chief executive Chris Starsmeare started to prepare by reviewing its own data collection practices and policies. Diversus is working with an independent law firm to update its offerings to incorporate the upcoming amendments.
"Often the first step toward mitigating risk surrounding data privacy is to determine what sensitive or personally identifiable information (PII) your organisations IT systems are storing – if you do not know what information you have, it is difficult to determine how compliant you are in relation to the storage and management of that personally identifiable information," Starsmeare added.
Vendors' actions and views
According to Sententia's Tony Vizza, vendors have taken no action in regards to the act.
"A few have given it brief mention but none have actively strategised for the new law and how they can use it to effect a positive outcome for clients. If anything, the vendors are thinking 'how can we sell more kit' rather than attempt to address the issues at the heart of mandatory breach notification laws which is 'how do we help our clients keep their information secure'."
Geek's Paior have a similar view. "As is often the case, the security vendors often focus their attention on the enterprise and larger scale customers. In the small to medium business MSP space very little communication or preparation has come from our usual vendors. To be honest the most useful information has come from the government websites and from members within the community driven organisations Geek belongs to, like HTG Peer Groups," Paior said.
Diversus Starsmeare said there have been conversations with Palo Alto Networks about the Privacy Act and protecting PII. "We both agree that technology is not the sole problem and equally that technology is not the only solution," he said.
Palo Alto Networks vice president and regional chief security officer Asia-Pacific Sean Duca told CRN that the vendor has put out briefings and workshops informing partners on the changes.
Duca sees the act as both a challenge and an opportunity for the partners. "It’s a challenge from the perspective that some organisations may not understand what the pending law mean and with that, may also be under prepared in protecting their customer’s data. The opportunity here is that partners have the ability to provide further value to their customers and ultimately, secure their customers information."
Duca added that the legislation will be doing the right thing by the customer, which is protecting their data. "If organisations collect it, they need to protect it."
Peter Hewett, Trend Micro channel director Australia and New Zealand, said that there is a consulting opportunity for cyber security savvy partners to provide advice and guidance to their customers about what the legislation means, how they should prepare for it, and what they should do if a breach occurs.
"Often companies that are compromised don’t clearly understand what data was leaked and cannot retrospectively find out. This is a major concern as it makes it hard to do the necessary remediation, and thus the company is subjected to a fine. This can result in both reputational and financial damages to the company," Hewett said.
Hewett believes the legislation will force organisations to make changes, something it was long overdue. He also pointed out that the legislation is very vague in its definition of "applicable incident" and suggested two ways to improve it: It should include state government entities, and should more clearly define what sort of breaches require notification.
Commvault principal architect Chris Gondek said the vendor's legal team has been working on a compliance guide for the new laws around data breach notification in Australia.
Gondek said partners need to educate their customers and how data breaches can negatively affect a business.
"Channel partners need to remind customers that their data is now typically spread across multiple data centres and even in software-as-a-service solutions and they must provide them with the tools to both protect and future proof their environments."
Gondek said that this is just the beginning of an entire new focus on data and information management. "Data ethics is one of those topics right now that raises serious questions around who owns data and who is ultimately responsible," he said.
Next steps
Geek's Paior told CRN that the one thing that Australian businesses need to do that "so few actually commit to", is to put cyber security on their team meeting agendas. "By having that regular reminder to openly discuss cyber risk, it is brought to the front of everyone’s minds.
Paior also said that the legislation is a good thing as it puts cyber security “front of mind” to Australian small and medium business owners.
Diversus Group's Starsmeare said that organisations have ignored The Privacy Act and they will now have to step up.
"All too often we see organisations abdicating their responsibilities when it comes to the public cloud and unfortunately privacy in no exception. There is a belief in certain quarters that by leveraging a public cloud provider you no longer have to worry about mundane data management tasks such as provisioning enough storage for applications or to ensure your data is backed up.
"Your entity is responsible and accountable for the personal information it collects, even where that information is held by external service providers or contractors operating in Australia or overseas."
According to Starsmeare this is an opportunity for the industry to work more strategically with the business "rather than in the traditional tactical and large reactive fashion of the past".
Conversations with other industries such as legal, risk, compliance and insurance are needed according to Sententia's Vizza.
"Having the legislation in place raises awareness and ultimately helps organisations realise the significant risk of a cyber breach. While most organisations are slowly coming to terms with the regulatory repercussions of a cyber breach, most still do not grasp the reputational or operational implications of a cyber breach until it's too late.
"It remains to be seen how strongly the law itself will be enforced and how strongly the Privacy Commissioner will penalise organisations who have weak cyber defences. At that point, industry will know how potent or limp the new law is," Vizza added.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
