Channel professionals have more insight into what constitutes 'reasonable security' under reforms to the Privacy Act set to come into force in seven days with news the Federal Privacy Commissioner will weigh up the size of organisation's wallet when deciding if hacked organisations are in breach of the regulation.
Organisations were earlier instructed only to deploy 'reasonable' security measures to protect sensitive customer data and that hacked entities could fall foul of the Act if they scrimped on security.
They were also warned by Federal Privacy Commissioner Timothy Pilgrim to "hit the ground running" and not expect extensions.
The reforms that consolidated Australia's disparate privacy laws were recommended in a 2008 landmark report by the Australian Law Reform Commission and adopted in 2011. Organisations and agencies with a turnover of more than $3 million would fall under the non-legally binding regulations.
Security professionals and IT managers at some of Australia's largest organisations including retailers, independent stores and government agencies said on condition of anonymity they were collectively unsure of what was required at minimum to keep what they assume to be blood-thirsty privacy auditors at bay.
They were also taking bets on whether the office would strike hard and fast come 12 March and make an example through the courts of the first hacked organisation to fall foul of the act.
Commissioner Pilgrim said the office would in its tougher approach to compliance consider the resources of any organisation that breaches the new Act.
"We would take into account the size of an organisation, but it is only one factor," Pilgrim said, adding that more resourced organisations with systems such as data intrusion and Security Information and Event Management must ensure security platforms are properly configured and monitored, and not just turned on in the style of check box compliance.
"We would be looking at what [security and risk] standards have been applied... to see what may be applicable to the size of the entity in terms of availability of systems and their cost," he said.
"At the end of the day an organisation can't be excused for [not] taking particular steps to protect the information they have – they must be taking some steps."
Hacked organisations that have failed to fix basic security flaws will receive little sympathy regardless if they approach the office with out-turned pockets. Such flaws, Pilgrim outlined, include a failure to patch software against known security vulnerabilities.
Next: The place for the channel
Distribution Central managing director Nick Verykios said resellers will remain trusted advisors.
"The reseller, regardless of chosen pathway to market, is and will remain the trusted advisor to all organisations," Verykios said. "They will continue to look to their vendor partners and distribution partners to make sure that they are presenting the latest strategies to ensure their customers do not get effected by the latest threats."
He said channel partners when discussing the effects of the Privacy Act should focus on solutions around security and operations, not only compliance.
"Because security problems, any kind and inclusive of data leakage and those associated to privacy legislation, can bring an entire organisation to a standstill or down for good. That is the historic truth."
That regulation should be seen as incentive to build strong security and privacy controls was a point echoed by David Sykes, sales director for Sophos Australia and New Zealand. He said security controls should be built according to an organisation's reputation, not according to laws.
“However, the way in which an organisation approaches security and privacy, including the outlay of cost and resources, should not be dictated by legislation," Sykes said.
"Instead the best approach for costing compliance should be proportionate to the value that the company places on its reputation, and how heavily the business relies on the Internet in serving that business."
The coming months may not herald a flurry of activity from organisations racing to comply with the Act. During this time, the channel should keep an eye out for any enforcement moves the Office takes under the Act which may generate a shakeup within particular industries, according to IPSec director of operations Ben Robson.
"What this means for the channel and organisations themselves is ... there will not be a sudden rush between now and when the law becomes actively enforced," Robson said.
"Organisations will take their time, they will wait to examine rulings against organisations of a similar size to their own, and will then implement solutions based on the expectations of the courts."
He said organisations will likely take "modest steps towards privacy protections" without being entirely committed to compliance until sufficient rulings occur against organisations of a similar size.
It appears unlikely that the office will be making an example of the first company to be breached. The initial months following March 12 will see the office "working with entities to ensure" organisations and agencies "understand the new requirements and have the systems in place to meet them".
It would according to a joint statement by Pilgrim and Australian Information Commissioner Professor John McMillan adopt "an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements".
Large Australian organisations including banks, telcos, retail chains and insurers along with government agencies have implemented privacy reform and review schemes with some fingering plans to rip and replace customer database management systems.
But tech representatives for the small end of town have warned those businesses were unaware or uninterested in investing to comply with the reforms.
Sense of Security southern region business manager Aarron Spinley said the first point of difference between how large and small organisations comply to the new Act will be in the execution of policies.
"In regard to the potential or perceived disparity between the assessment of large versus small organisations, the first real measure is likely to be the presence or absence of any overriding governance arrangements," Spinley said.
"Policy statements may be differ between large and small organisations, but the way that policy is implemented will."
The Commissioner may seek out the intent of organisations to govern data and then look to technical and process controls, he said. "An organisation might attempt to argue about the make-up of specific technical controls, but the absence of any governance arrangements would seem to be less defensible."
Pilgrim said organisations voluntarily confessing breaches to the office and alerting compromised users – in lieu of the scuppered mandatory reporting scheme – would be considered to have taken at least one 'reasonable step' to comply with the Act. The office received about 30 voluntary data breach notifications from organisations in the current financial year.
He advocates organisations initiate privacy and impact assessments to determine where sensitive customer information lies, who could access it, and what were the risks of holding that information.
Smaller organisations unsure of where to start in terms of compliance should look to ISO security and risk standards, Pilgrim said.
![[Opinion] The agentic AI hype is bullsh*t!](https://i.nextmedia.com.au/Utils/ImageResizerWebP.ashx?n=https%3a%2f%2fi.nextmedia.com.au%2fNews%2f241122_The_T_James_Davis_001007_.jpg&q=95&h=298&w=480&c=1&s=1)
.jpg&q=95&h=298&w=480&c=1&s=1)
