The clock’s ticking to comply with the Privacy Act

| February 19, 2018

While Australia’s privacy law has made a good start in encouraging better security hygiene, it may not go far enough to get all Australian and partner businesses in line. The new provisions in the Privacy Act passed by Parliament last year will come into force on February 22nd, meaning the clock is ticking for mid-sized firms to ensure they can comply.

The legislation will compel mid-sized firms with a turnover above $3 million a year to provide information on sensitive data breaches with a maximum penalty of $360,000 for individuals or $1.8 million for organisations which do not comply.

However this is a far cry from the European Union General Data Protection Regulation which applies penalties of up to 4% GDP or up to 20 million euros ($A30 million), whichever is higher.

The fines are not the only incentive to encourage better security practices, posture and hygiene. Privacy law should help to encourage breach disclosure, with merit given to those that practice privacy by design or who embed security into their data policy.

Organisations that can account for their security systems and take steps to ensure they have the right technologies and plans in place to ensure and prove protection, by using solutions that help expose or protect data or reporting on the security policy in place that helps to define their data processes and hierarchy.

Mid-sized firms may feel overwhelmed and under-resourced in dealing with cyber-incidents but the Australian Signals Directorate (ASD) is actively engaging with afflicted firms and offers support before, during and after the mandatory notification triggered under the breach notification laws.

They can suggest effective harm mitigation techniques while encouraging the firm to adopt a better security posture to protect against problems in the future.

Effective preparation involves security policy, architecture and implementation. Proactive assessment and real time prioritisation of security events can help organisations assess and manage the full scope of a data breach.

However, given the recent string of data and information breaches around the world in firms of all sizes, there is still much to do to ensure breaches are discovered, acknowledged and guarded against in the future.

New technology is also an incipient threat. IoT devices and other new products can lack effective safeguards against hacking or fail to comply with existing rules . There has never been a period with more unsupported vulnerable applications and operating systems around the world than today.

Many of the recent major exploits, such as WannaCry, succeeded by preying on unsupported system vulnerabilities – something that’s unacceptable in this age of advanced security technology.

Mid-sized firms should adopt a defence in depth approach with the proper application control and ironclad protection on the front end. The ASD suggests application whitelisting as it’s number one mitigation but there is more all firms can do.

Applying a positive security approach that can prioritise events in real time while enforcing a trust policy will reduce the risk of vulnerabilities and automate the identification of potential anomalies that target systems and data.