"Often companies that are compromised don’t clearly understand what data was leaked and cannot retrospectively find out. This is a major concern as it makes it hard to do the necessary remediation, and thus the company is subjected to a fine. This can result in both reputational and financial damages to the company," Hewett said.
Hewett believes the legislation will force organisations to make changes, something it was long overdue. He also pointed out that the legislation is very vague in its definition of "applicable incident" and suggested two ways to improve it: It should include state government entities, and should more clearly define what sort of breaches require notification.
Commvault principal architect Chris Gondek said the vendor's legal team has been working on a compliance guide for the new laws around data breach notification in Australia.
Gondek said partners need to educate their customers and how data breaches can negatively affect a business.
"Channel partners need to remind customers that their data is now typically spread across multiple data centres and even in software-as-a-service solutions and they must provide them with the tools to both protect and future proof their environments."
Gondek said that this is just the beginning of an entire new focus on data and information management. "Data ethics is one of those topics right now that raises serious questions around who owns data and who is ultimately responsible," he said.
Next steps
Geek's Paior told CRN that the one thing that Australian businesses need to do that "so few actually commit to", is to put cyber security on their team meeting agendas. "By having that regular reminder to openly discuss cyber risk, it is brought to the front of everyone’s minds.
Paior also said that the legislation is a good thing as it puts cyber security “front of mind” to Australian small and medium business owners.
Diversus Group's Starsmeare said that organisations have ignored The Privacy Act and they will now have to step up.
"All too often we see organisations abdicating their responsibilities when it comes to the public cloud and unfortunately privacy in no exception. There is a belief in certain quarters that by leveraging a public cloud provider you no longer have to worry about mundane data management tasks such as provisioning enough storage for applications or to ensure your data is backed up.
"Your entity is responsible and accountable for the personal information it collects, even where that information is held by external service providers or contractors operating in Australia or overseas."
According to Starsmeare this is an opportunity for the industry to work more strategically with the business "rather than in the traditional tactical and large reactive fashion of the past".
Conversations with other industries such as legal, risk, compliance and insurance are needed according to Sententia's Vizza.
"Having the legislation in place raises awareness and ultimately helps organisations realise the significant risk of a cyber breach. While most organisations are slowly coming to terms with the regulatory repercussions of a cyber breach, most still do not grasp the reputational or operational implications of a cyber breach until it's too late.
"It remains to be seen how strongly the law itself will be enforced and how strongly the Privacy Commissioner will penalise organisations who have weak cyber defences. At that point, industry will know how potent or limp the new law is," Vizza added.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
