Report on how the changes to the Privacy Act will be enforced

March 6, 2014 |

How the Privacy Commissioner will approach compliance is a matter of some conjecture.  He has put out a statement on enforcement.  It is not the most clear cut and emphatic document one would read this year. Trying to devine an approach is challenging.  Itnews reports in Privacy Act audits will consider infosec budgets that while the Privacy Commissioner will not accept laxity he will take into account the resources of a company when dealing withe breaches due to hacking attacks.  There is always a danger with sliding scale standards. For one thing what is an appropriate budget for an organisation of a certain size.  And then what other factors are relevant, such as the nature of personal information held.  Easier to require organisations meet industry standard than to allow small organisations plead poverty in having inadequate protections.  As much as possible objective standards should be the starting and ending points when measuring compliance.  That is not always possible but the suggestion that compliance has a range of standards is poor public policy.

It provides:

But commissioner says lax resources no excuse to not patch.

 The Australian Privacy Commissioner will take into account the size of an organisation’s wallet when it cracks down on hacked companies under the tougher Privacy Act set to come into force next week.

Small organisations across Australia with revenues above $3 million will breathe a collective sigh of relief at the news that they will not be punished with fines and regular compliance audits simply because they lacked the resources to invest in high-end security technology and processes.

Until today, organisations were instructed only to deploy ‘reasonable’ security measures to protect sensitive customer data.

They were also told by the Privacy Office that scrimping on security for sensitive customer data, should an organisation be breached, would result in a black mark by the Office and heighten the chance of costly regular government audits.

Adding fuel to the fire, organisations were warned by Federal Privacy Commissioner Timothy Pilgrim to “hit the ground running” with compliance and not expect extensions.

The reforms that consolidate Australia’s disparate privacy laws were recommended in a 2008 landmark report by the Australian Law Reform Commission, passed into law in 2011, and come into force on March 12.

Security professionals and IT managers at dozens of Australian organisations – including some of the nation’s largest household names, independent stores and government agencies – spoke on condition of anonymity about their fears for what the act holds.

Since draft guidance for the reforms was released late last year, they were collectively unsure of what was required at minimum to keep privacy auditors at bay.

They also took bets on whether the Office would strike hard and fast come March 12 and make an example through the courts of the first hacked organisation to fall foul of the act.

In an effort to quell some of these concerns and what he deemed a misreading of the Amendments by this publication, Commissioner Pilgrim said the Office would, despite its tougher approach to compliance, consider the resources of any organisation that breaches the new Act.

“We would take into account the size of an organisation, but it is only one factor,” Pilgrim told SC, adding that more resourced organisations must ensure security platforms are properly configured and monitored, and not just turned on in the style of check box compliance.

“We would be looking at what [security and risk] standards have been applied … to see what may be applicable to the size of the entity in terms of availability of systems and their cost,” he said.

“At the end of the day an organisation can’t be excused for [not] taking particular steps to protect the information they have — they must be taking some steps.”

Hacked organisations that have failed to fix basic security flaws will receive little sympathy regardless if they approach the office with out-turned pockets. Organisations that allow, for example, hackers to break into their infrastructure because they ran an unpatched instance of ColdFusion would fall foul of the Act.

IPSec director of operations Ben Robson said organisations will likely take little action to comply until precedents are set.

“The practical consequence of this, I believe, is that Australian organisations will take modest steps towards privacy protections but will not be fully committed to compliance until there are sufficient rulings against organisations of a similar size to their own,” Robson said.

“That is to say, that smaller organisations will largely ignore rulings against larger organisations and larger organisations will probably already have in place what is expected of smaller organisations.”

It appears unlikely that the Office will seek to make an example of the first company to be breached. The initial months following March 12 will see the Office “working with entities to ensure” organisations and agencies “understand the new requirements and have the systems in place to meet them”.

It would adopt “an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements”.

Large Australian organisations including banks, telcos, retail chains, insurers and government agencies have implemented privacy reform and review schemes with some mulling plans to rip and replace customer database management systems.

But tech representatives for the small end of town have warned those businesses were unaware or uninterested in investing to comply with the reforms.

Sense of Security southern region business manager Aarron Spinley said the first point of difference between how large and small organisations comply to the new Act will be in the execution of policies.

“In regard to the potential or perceived disparity between the assessment of large versus small organisations, the first real measure is likely to be the presence or absence of any overriding governance arrangements,” Spinley said.

“Policy statements may not differ between large and small organisations, but the way that policy is implemented will.”

Pilgrim said organisations voluntarily confessing breaches to the office and alerting compromised users — in lieu of the scuppered mandatory reporting scheme — would be considered to have taken at least one ‘reasonable step’ to comply with the Act. The office received about 30 voluntary data breach notifications from organisations in the current financial year.

He advocated organisations to initiate privacy and impact assessments to determine where sensitive customer information lies, who could access it, and what were the risks of holding that information.

Smaller organisations unsure of where to start in terms of compliance should look to ISO security and risk standards, Pilgrim said.

Organisations should note that dangers lurk not in fines but in the impact of the security exposures leading to breaches, according to Distribution Central managing director Nick Verykios.

“When the focus is on fines, legislation and compliance, the security policy is significantly compromised,” Verykios said.

“Because security problems, any kind and inclusive of data leakage and those associated to privacy legislation, can bring an entire organisation to a standstill or down for good. That is the historic truth.”

He said it would be positive if the threat of fines under the Act served to push organisations to update their data security policies and strategies to address security threats.

The Privacy Commissioner issued a statement today to clarify the issue, Cyber attacks do not mean businesses are ‘off the hook’.

It provides:

‘Recent media reports have suggested that organisations that experience a data breach as a result of a cyber-attack or hack are ‘off the hook’ or won’t be held accountable for the exposure of personal information.

This view does not accurately reflect the Australian Privacy Principles (APPs) in the Privacy Act 1988 (that come into force on 12 March 2014) nor the Office of the Australian Information Commissioner (OAIC)’s APP guidelines which have been issued to support businesses and agencies implementing practices, procedures and systems that will ensure they comply with the APPs.

APP 6 outlines when an APP entity may use or disclose personal information. Under APP 6, an APP entity is not taken to have ‘disclosed’ personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. However, the organisation may still be found in breach of APP 11 when this occurs.

APP 11 requires an organisation that holds personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP 11. The OAIC has previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.

Regular review of information security measures is crucial, particularly given how regularly organisations change their processes, information, personnel, applications and infrastructure, as well as changing technology and security risks. Organisations must implement and maintain information security measures that respond to this changing landscape. The OAIC also expects that entities will regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information.

In summary, while an organisation may not be found to have ‘disclosed’ personal information following a data breach or cyber-attack (under APP 6), the organisation may still be found in breach of APP 11 if it did not take reasonable steps to protect the information from unauthorised access, such as a cyber-attack.’

Office of the Australian Information Commissioner


Leave a Reply