Tighter data regulations will mandate encryption, SIEM use: FieldFisher

Tighter legislative controls over data security are inevitable in Australia given a worldwide surge in security-related legislation and the growing need for specific data controls, a worldwide analysis of legal obligations around data encryption has warned.

The study, conducted by legal firm FieldFisher and sponsored by security firm Vormetric, forecast a growing requirement for encryption as a result of ever-stricter corporate obligations around the protection of sensitive data.

“We will undoubtedly see the law becoming even more prescriptive over time about the nature of the encryption technologies that must be adopted and rolled out across organisations,” the paper's authors predicted.

The spectrum of security issues facing organisations has expanded and now includes management of access rights and privileges; data segregation; incident detection and threat pattern recognition; auditing; and training.

With cyber-security threat volumes increasing, the report said, companies will increasingly be expected to use security information and event management (SIEM) and other tools to analyse security and IP logs – in addition to what are often explicit requirements to use encryption, as in the ISO27001 global security standard.

“In the US and the EU the development of national cyber security strategies has highlighted the need to implement real-time access control measures to ensure data can be accessed only by those authorised to see it,” the report warns, “and to have in place pattern recognition technologies to capture intelligence post-event to identify anomalous processes and user access patterns.”

Noting that a company that has encrypted its data as a precautionary measure may be recognised for 'safe harbour' protection under US breach disclosure laws, the researchers warn that the progress of legislation may soon remove the optionality of the technology.

“We can expect that an organisation's failure to implement such measures will be met with tough regulatory scrutiny and heavy sanctions,” they conclude.

Evaluating the requirement for encryption within Australia's privacy laws, the report noted that requirements for organisations to take “reasonable steps” to protect personal information include encryption both by implication, and explicitly in the context of “privacy enhancing technologies” such as “robust encryption”.

“Encryption is likely to be considered a reasonable measure to implement in order to protect personal information,” the report's authors conclude.

Newly implemented changes to the Privacy Act, which came into effect in March, will implement stricter technological requirements around the protection of sensitive data. Part IIIA of the Act, the report notes, spells out the Credit Reporting Privacy Code – which requires credit reporting bodies to “surround the information with appropriate technical and organisational security” to put the information they keep “beyond use”.

“While encryption is not listed as a specific method of ensuring information is 'beyond use', the report says, “the inference is clear.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags FieldFisherdata protection

More about CSOEnex TestLabEUVormetric

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place