Good fences make good neighbours

It’s not that long since I wrote a blog post bemoaning Australia’s privacy laws as ‘toothless tigers’, so I welcome the recent announcement that disclosure and privacy reforms could be fast-tracked

It’s not that long since I wrote a blog post bemoaning Australia’s privacy laws as ‘toothless tigers’, pointing to our country’s lack of mandatory disclosure legislation as an ongoing challenge for information security. As such, I welcome Home Affairs Minister Brendan O’Connor’s recent announcement that disclosure and privacy reforms could be fast-tracked - if the department was presented with evidence that enterprise information security was inadequate. For all that, I’ll be keeping the bubbly on ice for the time being...

While I do welcome the prospect of reforms that feel like they’ve been in the discussion stages forever finally seeing the light of day, you have to question the adequacy of a process that calls on those with the most to lose to own up to their failings so you can expedite the process by which they’ll be penalised.

The Australian Law Reform Commission first published its recommendations for data breach notification legislation back in 2008. And with public consultation for the privacy reforms ending on November 3rd, it’s hard not to be cynical and wonder whether we’re looking at another long period of talk with little in the way of action. Meanwhile, SC Magazine reports that security specialists claim the scale of Australia’s data theft problem goes well beyond anything our government or even the local media know about.

Australians were first asked to consider whether privacy was a legal right back in 1937. On that occasion, Chief Justice Latham said that “Any person is entitled to look over the plaintiff’s fence and to see what goes on in the plaintiff’s land. If the plaintiff desires to prevent this, the plaintiff can erect a higher fence.”

All well and good when few homes had even a telephone, but in a digital age, it’s increasingly difficult for individuals to erect higher fences around all the personal data they’re obliged to submit for even the simplest of day-to-day tasks. Financial services verification routinely involves the furnishing of further identifying details, from passports to driving licences, place of work, payroll numbers, even your mother’s maiden name. And while logic says the onus for building adequate fencing around that data lies with the organisation that holds it, the law suggests otherwise – and the absence of any clear mandatory penalty underlines a highly unsatisfactory state of play.

While we’ve been strolling towards a solution, it’s not only technology that’s outstripping us; other countries and regions such as the EU and US have implemented some major changes in recent years, where prompt responses and fines for data breaches are the standard minimum requirement to keep organisations of all kinds on their toes.

Data breaches are, sadly, inevitable. It’s impossible to prevent an employee from accidentally leaving sensitive paperwork on public transport, for example. But there are still some practical solutions. In the first instance, it’s important that legislation is in place; after that, it’s ultimately up to businesses to take responsibility for themselves by taking practical steps to educate employees and create visible security across the organisation. Businesses should apply visible security strategies, informing users of policies, using tools to remind staff of what constitutes a breach and enabling managers to get a better handle on their data and where it is.

Businesses in Australia are playing their part, but more certainly needs to be done when it comes to legislation and education. As of April this year, twice as many breaches were reported compared to 2010. The law needs to be reinforced and reviewed to accelerate post-breach actions so that companies can take responsibility and put solutions in place. The time for talk has passed.

Phil Vasic is Regional Director, APAC, at software security company Clearswift.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernmentprivacy

More about APACClearswift Asia PacificEU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Phil Vasic

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place