Are Australian organisations ready for new Privacy laws?

Many companies are still not fully aware of the changes the revised Privacy Act will bring and compliance doesn't guarantee safety.

Data is a valuable business resource, especially in our increasingly digital world. That’s why “Big Data” is such a hot IT trend right now, as companies hold increasing amounts of data on their customers and internal operations to enable them to make better business decisions.

So, does more data increase a company’s risk/threat profile? The answer is, in most cases, ‘yes’. In reality, a “Big Data” database may have records on the same number of people, but it is “Big Data” because it contains larger, richer records which can then be analysed and correlated to identify everything from business trends to crime-fighting. 

For example, an online retailer may track a person’s activity on their website over the last six months: purchase decisions, credit cards used, items placed in a ‘cart’ but never purchased, as well as other personal profile and activity details. So, for a cybercriminal looking for credit card numbers, this may be a particularly attractive source of their target data, as well as a wealth of other information they may be able to sell on the cyber-underground.

Customer data has moved higher up the agenda recently with the changes in Australian privacy legislation due to take effect early next year. The Federal Government is looking to make companies more accountable for protecting customer information. The Privacy Commissioner will be granted more powers to impose penalties, including substantial fines, on businesses that do not take adequate steps to protect customer data.

While the Privacy Alerts Bill 2013, which would mandate companies to report data breaches to the Privacy Commissioner and to affected customers, did not pass in the Senate, the privacy legislation that is coming into force in March 2014 significantly strengthens the powers of the Privacy Commissioner to investigate data breaches. Therefore the financial, brand, reputation and other impacts of a data loss are potentially staggering.

Everyone is impacted by these changes.  The principals of the current Privacy Amendment Act, passed on 29 November 2012, are different for government agencies (IPPs) and businesses (NPPs), but will become unified as a single set called the Australian Privacy Principals (APPs). The new legislation will also introduce 13 new APPs, as well as significant changes to some of the existing principles.

This means Australian companies urgently need to re-evaluate their IT security and ensure they have the layered defences in place to stop data leakage. Their security posture needs to address all angles of data loss; from a simple internal error or a purposeful attack by a malicious insider, right the way through to being able to detect and block the most sophisticated targeted attacks. They must also maintain pro-active measures to mitigate cyber-crime risks, particularly against increasingly targeted cyber-attacks and advanced persistent threats (APTs).

Many companies can become complacent having taken compliance measures in the past. A swathe of security standards (PCI compliance comes to mind) is just one step forward, but more need to be taken to actively protect sensitive customer and corporate data.

Modern security posture does not rely on compliance; it approaches security from a threat lifecycle perspective. Compliance merely ticks a box for organisations and can give them a false sense of security. There is so much more companies need to do in order to protect themselves against data breach when the amended Privacy Act kicks in.

Compliance doesn't guarantee safety

From conversations I have with customers, it appears many companies are still not fully aware of the changes the revised Privacy Act will bring. This is concerning, as it is something that can significantly impact their businesses. Most are still probably thinking they are safe because they have met certain compliance requirements.

These organisations, possibly unwittingly, aren’t doing enough to protect themselves or their customer information from potential cyber-attacks and data theft in my opinion.

A layered security approach is the best way for organisations to protect themselves from security breaches. Layered security essentially employs a combination of different defences to ensure a holistic approach to IT security. In amongst their ‘Big Data’, an organisation needs to identify and protect their most valuable data. They need to have effective data security solutions across all their channels including, web, email, mobile, and the end point to ensure that data doesn’t leave the enterprise inappropriately or unlawfully.

Gartner predicts that changes in the Privacy Act will drive up IT security spending in Australia. This seems inevitable, however, companies really need to think about is how to spend their IT security funds to ensure the greatest protection possible.

Companies must invest in the right technologies and update their security processes or risk being heavily penalised by the Privacy Commissioner should there be a data breach, not to mention the reputational damage which could ensue.

Gerry Tucker is the ANZ country manager of Websense.