A privacy time bomb

With less than 10 months to go before the amended Privacy Act comes into play most organisations seem to be twiddling their thumbs. Such cavalier attitude is only asking for trouble both from criminals and the regulators.

Reading through the government’s newly released guide to information security, especially with the changes to the Australian Privacy act looming over the horizon, requires sorting through a mess of peculiar acronyms, extended dot points and open-ended questions.

Needless to say, it’s a complex document and it’s thorough. And perhaps this is just the kind of document needed to ensure that companies can’t wriggle their obligations when they are stung with a data breach. But could the complexity of the document prove to be its downfall? And are Australian businesses are in an urgent need of a wake-up call when it comes to data protection?

Well the changes afoot are daunting so perhaps some simplification is in order. But with less than a year to go before the reforms take effect many organisations are seemingly twiddling their thumbs; a prospect that won't fill Australian consumers with any confidence.  

A survey of Australian business and government agencies commissioned by internet security company McAfee has found that 59 per cent of employees responsible for managing the personal information of customers were unaware or unsure of the changes.

While the Attorney-General Mark Dreyfus and the Privacy Commissioner Timothy Pilgrim spent a lot of time yesterday blowing the bugle of impending change, it looks like many organisations are destined to end up on the wrong side of a data breach.

This outcome seems likely despite the assumption that many larger companies who hold our data will have teams of lawyers to pour through these documents and spell them out to the letter.

As the McAfee survey points out, just over half of the employees surveyed who are responsible for managing customer data were either unsure or unaware of the government impeding changes to the Privacy Act. Their ignorance could end up a costing organisations a pretty penny, when you consider that the fines for breaching the law could range anywhere between $340,000 and $1.7 million.  

It gets worse. Around 47 per cent of the employees responsible for handling user data said that they haven’t received adequate training in the field. Just over a third admitted that their organisation doesn’t really handle personally identifiable information with that much care.

It seems that McAfee has stumbled upon what could be best described as a privacy time bomb. As many already know, the cyber criminals are gearing up their operations, and any company exposes themselves as an open target will get hit.

The Attorney General was out in force yesterday, celebrating privacy awareness week with an ultimatum to companies: study up on the new privacy laws or face the consequences.

But, just what those consequences will be is still an open question. There is the threat of hefty fines but one wonders if that’s enough? Both Telstra and AAPT have managed to avoid any punitive action despite falling foul of the Telecommunications Consumer Protections Code (TCP) last year, in what where substantial data breaches.  

In fact, the McAfee survey shows that monetary penalties aren’t the biggest cause of angst for businesses. Reputational damage and loss of customer trust are the two big concerns for organisations and that emphasis is unlikely to shift as they collect ever larger volumes of customer data.

The complications are further compounded by claims that a lot of the personal data collection is being done with little or no regard to existing guidelines. Forget about the complex changes set to come into motion 10 months from now, organisations aren’t even paying heed to the current codes of conduct.

University of Sydney Business School's Terry Beed has warned that widespread adoption of market research tools like SurveyMonkey poses a genuine risk of personal data being gathered and stored in a way that’s at odds with current privacy regulations.

No company wants a data breach, but a cavalier attitude towards data protection is just asking for trouble and patently counterintuitive at a time when good privacy policies can deliver a significant competitive edge.