Channel professionals have more insight into what constitutes 'reasonable security' under reforms to the Privacy Act set to come into force in seven days with news the Federal Privacy Commissioner will weigh up the size of organisation's wallet when deciding if hacked organisations are in breach of the regulation.
Organisations were earlier instructed only to deploy 'reasonable' security measures to protect sensitive customer data and that hacked entities could fall foul of the Act if they scrimped on security.
They were also warned by Federal Privacy Commissioner Timothy Pilgrim to "hit the ground running" and not expect extensions.
The reforms that consolidated Australia's disparate privacy laws were recommended in a 2008 landmark report by the Australian Law Reform Commission and adopted in 2011. Organisations and agencies with a turnover of more than $3 million would fall under the non-legally binding regulations.
Security professionals and IT managers at some of Australia's largest organisations including retailers, independent stores and government agencies said on condition of anonymity they were collectively unsure of what was required at minimum to keep what they assume to be blood-thirsty privacy auditors at bay.
They were also taking bets on whether the office would strike hard and fast come 12 March and make an example through the courts of the first hacked organisation to fall foul of the act.
Commissioner Pilgrim said the office would in its tougher approach to compliance consider the resources of any organisation that breaches the new Act.
"We would take into account the size of an organisation, but it is only one factor," Pilgrim said, adding that more resourced organisations with systems such as data intrusion and Security Information and Event Management must ensure security platforms are properly configured and monitored, and not just turned on in the style of check box compliance.
"We would be looking at what [security and risk] standards have been applied... to see what may be applicable to the size of the entity in terms of availability of systems and their cost," he said.
"At the end of the day an organisation can't be excused for [not] taking particular steps to protect the information they have – they must be taking some steps."
Hacked organisations that have failed to fix basic security flaws will receive little sympathy regardless if they approach the office with out-turned pockets. Such flaws, Pilgrim outlined, include a failure to patch software against known security vulnerabilities.
Next: The place for the channel