Apologies for the delay in posting, it’s been a long time I know – life has gotten to me with a number of big projects so I haven’t had a chance to post.
In any case, today I’d like to post on the upcoming Privacy Act amendments which has been entered into legislation and takes effect in March 2014. Many people are unaware of the changes to the existing Privacy Act and the effect it will have on small businesses (anyone over $3M in revenue is subject to this act).
For companies that are affected by the act, it’s very important to understand what it means to you and your business and the steps that will need to be taken to ensure that you don’t become one of the first companies in Australia to be punished under the act.
At a high level the act comprises a number of mandates about the level of security and protection you need to offer customer data that you keep in your control – including customer data that may be stored not in your facilities (such as in a shared datacentre using DropBox, GoogleApps or Office365).
To take a small reading of the act:
“…an entity must take reasonable steps to protect personal Information it holds from misuse, interference and loss, and from unauthorised access, modification, or disclosure.”
This appears very broad in it’s wording (and potential application) and it’s likely deliberately that way – it would be very hard to capture all of the necessary protections of consumer data that would potentially exist out there.
Some of the penalties are huge for breaching aspects of the Privacy Act through the loss of customer data – up to $370,000 for individuals and $1.7M for companies. Whilst the reputational issue of losing a customers data is significant this is of particular concerns to those smaller companies for whom a fine of this sort of size would effectively push them out of business – a larger company such as one of the big banks could continue on, but a 30 seat accounting business wearing a $1M fine would likely end that organisation for good.
It’s also important to note that onerous fines are not the only remedy available to the government under this act – it would also be possible for the Privacy Commissioner to conduct it’s own investigations and demand that organisations show the precautions they have in place, along with placing binding undertakings on organisations to remedy failures in process around privacy.
Unfortunately for smaller businesses they often haven’t invested in security and data loss prevention like bigger organisations have as they have not seen the need to up until today. This leaves them very susceptible to be compromised as without appropriate investments in protection it would be very easy for nefarious insiders or external ‘hackers’ to access customer information and thus expose the organisation to remedies under the act.
Some of the technology solutions that may be required include:
- Appropriate workstation and server anti-malware protection
- Security patching all assets (both computers and network devices)
- Disk Encryption for servers and workstations (particularly for travelling laptops/mobile devices)
- IDS/IPS and Firewall to prevent external threats
- DLP solutions to analyse the flow of customer information and where it may be compromised
- Reviewing staff access permissions
- Securing company database assets in an appropriate fashion (access control, location etc)
But there is also a significant amount of work to be done on governance such as:
- Education of staff so they understand the ramifications of taking/sharing data (particularly in a social engineering capacity) and their responsibilities under the Act
- Review of security and access control policies across your organisation
- Testing of the above policies and technology solutions regularly to assure outcomes are in line with expectations
- What processes are adhered to when customer data is requested and what process is followed if there is a breach of customer data
- What happens to retired computer assets to ensure data isn’t contained on them when they are no longer needed
- How do you handle employees working from home or on the road and the security of their mobile devices/laptops? What policies are attached to this sort of employee and their company assets
- How do you deal with the influx of BYOD and non-controlled devices coming into the organisation?
The full guide on Information Security compliance is here: http://apo.org.au/sites/default/files/docs/information-security-guide-2013_WEB.pdf
This is a landmine for businesses not expecting further compliance requirements outside of what they are already doing – but I would suggest that nearly 100% of businesses will have to do something to meet their compliance requirements in light of this amended act.
If you have any questions about the above – please feel free to reach out to me to discuss.
Thanks go to McAfee for their take on the above and prompting me to write this blog.