For many businesses, security and privacy is an afterthought. By mid-March, that could all change. Australia is set to endure a massive legal shake-up that could see the Federal Privacy Act become a formidable, prescriptive framework requiring scores of businesses to make security and privacy a priority.
The reforms to the Federal Privacy Act will consolidate and toughen Australia’s disparate privacy laws and give the Federal Privacy Commissioner greater powers of enforcement. The changes were recommended in a landmark 2008 report by the Australian Law Reform Commission. In 2011, the federal government announced it would adopt the reforms, which are slated to come into force on 12 March this year.
There are potentially dramatic impacts on the technology sector which, up until now, has had little legal obligation to beef up security and privacy controls.
“Right now, organisations are beholden only onto the pressure from customers and partners to improve their security posture and prevent breaches,” says Bob Robson of Melbourne-based security reseller and consultancy IPSec.
“And those organisations that are penetrated could simply sweep it under the carpet.”
The reformed Act introduces requirements and obligations for government agencies and organisations with revenues above $3 million to better protect customer information. It demands that these organisations make clear to customers when their data will be collected, where it will be stored and how it will be used. Any changes to the use of data must be made clear to all affected customers.
It requires organisations take complete responsibility if their offshore cloud providers are breached, resulting in a compromise of customer data, unless those providers agree or are lawfully required to comply with the new requirements of the Australian Privacy Act. Checkbox compliance could be a thing of the past; after March, organisations could be required to not only purchase security tools, but allocate resources to properly configure and monitor them for aberrations that indicate hackers are inside a corporate network.
At the extreme, we could see supermarket rewards schemes such as flybuys have short URLs printed on receipts that point shoppers to the program’s privacy schemes and checkbox to opt in or out.
The conservative federal government could opt to mandate the reform’s sister legislation, the shelved Privacy Alerts Bill 2013, which requires mandatory data breach reporting. This would shine a light on cyber theft for all to see; if hacked, a business could be forced to apologise in national newspapers for not having invested enough in security – and fined up to $1.7 million for serious breaches.
Robson points out that the reforms may be less prescriptive if the Office of the Australian Information Commissioner (OAIC) is more flexible in the new laws’ security requirements. There is lack of clarity on the interpretation of what are ‘reasonable steps’ to secure customer data.
Despite the release of the official guidance from the OAIC, the real-world impact remains vague. Laureen Smith, Asia-Pacific vice-president at file sharing software vendor Workshare, says one weakness of the legislation is that “unlike foreign policies regimes... there is no distinction between a ‘data controller’, one who controls and collects the information, and a ‘data processor’, one who holds and processes information on behalf of the ‘data controller’.
“In foreign privacy policies, limited obligations are placed on the ‘data processor’, while within the Australian legislation there still is an element of uncertainty in the allocation of risk. This makes it particularly challenging when selecting a cloud provider, as the extent of non-compliance risk that rests on the cloud provider and that passed back to the customer is unclear.”
While plenty of questions remain, it is clear that only a brave organisation would risk doing nothing to prepare for the reforms. And here is where opportunities for the channel exist. If the government takes a hard line, IPSec’s Robson says “there could be a flood of purchasing of security gear by organisations”.
Next: Risks and opportunities