Security resellers and systems integrators have revealed the steps they've undertaken in preparation for the data breach notification scheme, set to start on 22 February 2018.
The legislation sets out that if an organisation realises it has been breached or lost data it will have to report the incident to the Privacy Commissioner as well as notify affected customers. The data breach notification scheme and will affect government agencies and organisations governed by the Privacy Act and companies with a turnover of more than $3 million a year.
The notification has to include a description of the data breach, the kind of information involved, and how customers should respond to the security incident. Penalties to organisations and individuals that fail to notify can be fined $360,000 - for individuals - and $1.8 million for organisations.
Sydney-headquartered Sententia has been preparing for the past three years.
"We have established strong relationships and credentials with legal providers and have been working with insurance and legal on cyber readiness programs, audits and assessments and managed security services to meet the requirements of mandatory breach notification," cyber security practice director Tony Vizza told CRN.
Sententia is offering cyber security assessment services to its customers, which include an optional consultation with a cyber law practitioner to allow for a whole of business risk mitigation conversation.
"We also facilitate discussions with cyber breach insurance providers. Cyber breach notification truly is a whole of business conversation and IT resellers and providers need to look beyond traditional ways of thinking to capitalise on the space," Vizza said.
Jon Paior, founder and chairman of Adelaide-based Geek also talked about how the Adelaide-based MSP have been talking to customers about the importance of speaking to insurance professionals on cyber risk. "In most cases, after seeking advice, our customers have felt that self-insuring against this type of risk was not the best option for them."
Geek is preparing information seminars and webinars to present to its clients. "We work with clients to run IT security reviews with our software tools to analyse the type of data they are storing and can often calculate for them a fair estimate of the financial implications of a breach," Paior said.
Diversus Group chief executive Chris Starsmeare started to prepare by reviewing its own data collection practices and policies. Diversus is working with an independent law firm to update its offerings to incorporate the upcoming amendments.
"Often the first step toward mitigating risk surrounding data privacy is to determine what sensitive or personally identifiable information (PII) your organisations IT systems are storing – if you do not know what information you have, it is difficult to determine how compliant you are in relation to the storage and management of that personally identifiable information," Starsmeare added.
Vendors' actions and views
According to Sententia's Tony Vizza, vendors have taken no action in regards to the act.
"A few have given it brief mention but none have actively strategised for the new law and how they can use it to effect a positive outcome for clients. If anything, the vendors are thinking 'how can we sell more kit' rather than attempt to address the issues at the heart of mandatory breach notification laws which is 'how do we help our clients keep their information secure'."
Geek's Paior have a similar view. "As is often the case, the security vendors often focus their attention on the enterprise and larger scale customers. In the small to medium business MSP space very little communication or preparation has come from our usual vendors. To be honest the most useful information has come from the government websites and from members within the community driven organisations Geek belongs to, like HTG Peer Groups," Paior said.
Diversus Starsmeare said there have been conversations with Palo Alto Networks about the Privacy Act and protecting PII. "We both agree that technology is not the sole problem and equally that technology is not the only solution," he said.
Palo Alto Networks vice president and regional chief security officer Asia-Pacific Sean Duca told CRN that the vendor has put out briefings and workshops informing partners on the changes.
Duca sees the act as both a challenge and an opportunity for the partners. "It’s a challenge from the perspective that some organisations may not understand what the pending law mean and with that, may also be under prepared in protecting their customer’s data. The opportunity here is that partners have the ability to provide further value to their customers and ultimately, secure their customers information."
Duca added that the legislation will be doing the right thing by the customer, which is protecting their data. "If organisations collect it, they need to protect it."
Peter Hewett, Trend Micro channel director Australia and New Zealand, said that there is a consulting opportunity for cyber security savvy partners to provide advice and guidance to their customers about what the legislation means, how they should prepare for it, and what they should do if a breach occurs.