Channel professionals are unable to fully exploit opportunities created by amendments to the Australian Privacy Act thanks to a lack of clarity about how prescriptive the changes will be and how severely it will be enforced, experts have told CRN.
The amendments to the Act are scheduled to come into force on 12 March and will enforce tougher security and privacy requirements on all organisations with an annual turnover of more than $3 million, along with goverment agencies.
Notable in the changes is the requirement for businesses to go beyond checkbox compliance where security tools were merely switched on without regard to proper configuration and monitoring; Federal Privacy Commissioner Timothy Pilgrim has stated organisations that fail to detect a breach will fall foul of the amended Act and risk penalty through the courts.
Exactly how far the Office of the Australian Information Commissioner (OAIC) would require organisations to go in purchasing, configuring and monitoring systems is described only as reasonable steps. (pdf)
Ben Robson, director of operations at Melbourne-based security specialiists IPSec, told CRN: "The principal issue I have in relation to the impending Privacy Act compliance requirements is the number of ambit claims around what is or isn’t required when in reality nobody knows... while it is possible that the courts will set that bar very high, thereby applying heavy fines against companies with relatively low revenues, it also means that it is possible that they will set the bar fairly low, thereby defining that organisations with lower revenues are not expected to implement significant levels of privacy controls.
"Once the OAIC and the courts have provided clarity around the definition of 'reasonable' we are likely to see organisations take significant, but appropriate, actions towards compliance with the new Privacy Act requirements. Until such clarity exists, organisations are being asked to hit a moving target," he added.
Robson said the amendments could become a great boon to the security industry should the OAIC be successful in prosecuting rigid standards through the courts, but could fizz should the opposite occur.
The Privacy Commissioner could impose financial penalties of $1.7 million on serious or repeatedly breached organisations and could compel them to notify national or state newspapers.
CRN spoke to dozens of security and IT managers and engineers, under condition of anonymity. The lack of clarity around the requirement of reasonable steps was a consistent theme.
Only chief security officers at some of the largest Australian organisations claimed the reforms would mean little to them, given their existing strict compliance requirements and large security budgets.
Matt Ramsay, APAC regional director of security vendor Centrify, warned organisations that the uncertainty of the Act was simialr to the US Sarbanes-Oxley (SOX) legislation enacted in 2002 to shore up the accuracy of financial reporting.
“While SOX has raised the compliance bar for corporate reporting, it has had the unintended impact of creating a lot of uncertainty because of its lack of precision,” Ramsay said in a statement.
“SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive: It tells you to jump, but not how high. As a result, US corporations need to jump a very high bar indeed to avoid the threat of non-compliance.”
Robson urged caution about conflating the experience of SOX in the US with the new requirements of the Privacy Act.
"The most helpful approach that Privacy Act and security specialists can take in relation to assisting organisations with their new Privacy Act requirements is to provide a sober assessment of what could be reasonably expected of them," he said.