It may have been over a year since a major overhaul of Australia's privacy laws pressured organisations to manage sensitive information better, but professional security service providers are still helping customers come to grips with the new laws.
One expert believes the changes to the Privacy Act 1988 – which saw two previously disparate sets of regulations for the protection of personally identifiable information (PII) combined into one 13-point set of Australian Privacy Principles (APPs) – are fostering a new level of openness that that may pave the way toward breach notification laws being introduced in Australia within the next two years.
“The last year has been a period where there has been a higher level of engagement with our customers talking about issues associated with the revised Act,” explains Alan Coburn, security and risk consulting manager for Asia-Pacific and Japan with information security services provider Dell SecureWorks.
While many of those discussions relate to individual organisations' responsibilities under the new guidelines, a growing number of them come from organisations that are using the passage of the new legislation as a trigger to revisit long-standing policies around the protection of PII.
“We are beginning to have different conversations with our customers, there seems to be a dawning realisation that they need to change the way they look at their responsibilities for protecting customer data, that is beyond what is spurred by legislation and regulation”. “The APPs are really a manifestation of other good security practices around things like data classification,” Coburn continues, noting strong demand for privacy-related consulting services from Dell SecureWorks' who are, among other things, Governance, Risk and Compliance (GRC) specialists.
“Taking care of confidential, private and sensitive information is part and parcel of conversations we have always had with our clients,” he adds, “but we are now having more in-depth, mature conversations that indicate that businesses are taking information governance and their security posture more seriously. In the last year in Australia, we have seen a change in the type of conversations we are having; for the first time, we are seeing organisations reaching out to us and asking for more focused assistance with their security problems across all of our services.”
Just what form that assistance takes, varies widely and depends on the particular vulnerabilities and requirements of each organisation's particular operating environment. However, since the APPs became law on 12 March 2014, they seem to have fostered a new openness that is helping Dell SecureWorks’ staff engage with its clients on the topic of PII protection in a more meaningful way, according to Coburn. A recent admission by telecommunications giant SingTel Optus, that some 300,000 customers' private information had been compromised in three separate incidents, was notable in that it resulted in the first-ever enforceable undertaking – in this instance, a security review process - to be issued by privacy commissioner Timothy Pilgrim through his office, the Office of the Australian Information Commissioner (OAIC).
Pilgrim recently indicated that he was “pleased” with the progress made towards compliance with the new laws, noting upon the OAIC's first annual review of the new legislation that the OAIC had received 4016 privacy complaints in the new legislation's first year.
The OAIC worked with 13 organisations to undergo formal privacy assessments, while some 104 voluntary data breach notifications were received during the year.
It is this last statistic that has Coburn optimistic that the growing culture of openness around PII protections has set the stage for the eventual introduction of mandatory data breach requirements in Australia as has already happened in other countries.
Such legislation is seems much more likely the wake of heightened discussions about it across Australian business and legal spheres, with Pilgrim among those raising the prospect of such laws on several occasions over the past year.
The OAIC's enforceable undertaking against Optus, which did not include financial penalties despite their being within the scope of the OAIC's jurisdiction, repeatedly lauded the cooperation of the telecommunications giant during the investigation of its breaches.
Among several penalties, Optus was ordered to review the IT architecture of its 20 most risk-exposed systems, rectify any identified issues, and have its compliance certified within 18 months.Read more: Can funding open source bug bounties save Europe from mass-surveillance?
Other organisations have been less forthcoming about their breaches. Online retailer CatchOfTheDay, for one, took several years to reveal that its systems were breached in May 2011, arguing that the hashed passwords were safe until recent “technological advances means there is an increasing risk that those hashed passwords may become compromised.”
Pilgrim's recognition of Optus' cooperation may provide solace for other companies concerned about confessing about their own breaches, Coburn says, noting that the proactive and productive dialogue between Optus and the OAIC reflects a new era of openness on breach sharing by Australian business.
“Organisations in Australia are suffering the same kind of intrusions, attacks and resulting breaches that we see elsewhere around the world,” he explains.
“The commissioner is trying to foster an atmosphere of organisations being able to feel more confident about disclosing information, and we're seeing that organisations in Australia are beginning to do the right thing.”Read more: How responsible are employees for data breaches and how do you stop them?
Improved transparency around breaches comes none too soon: report after report confirms that the overall threat from online attackers continues to grow, with ransomware in particular posing a massive threat to Australian businesses and consumers.
A perennial challenge in minimising exposure to ransomware is managing the considerable human element involved in repelling successful ransomware attacks – which often sees Dell SecureWorks engaged not in discussion around technology, but around “the people and process elements,” around good incident response management Coburn says.
Another significant challenge in the disclosure process – and another reason why more openness about PII exposure will improve companies' overall privacy posture significantly – is figuring out just what data an organisation is handling.
“Some of them struggle to really put their finger on the kinds of information that they acquire, how they store it and where,” Coburn says.
In terms of incident response, that can lead to drawn-out investigations where a lot of time can be spent trying to find the data that’s been targeted and then collect the associated security event information that helps track down the bad guys and figure out what they took.
In the event of a breach, the proverbial clock is already ticking – which makes such delays a significant obstacle. Better information governance, and preparation for breaches through better incident response processes and procedures, can help shorten the time to action by helping the teams “hit the ground running as soon as we hit the door,” Coburn says.
“These are costly events and the last thing you want to do is to waste time hunting down log information rather than hunting the bad guys.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.
- Weigh security technologies on ransomware-busting effectiveness, Webroot Executive advises
- Nearly half of employees inadequately trained on Privacy Act compliance
- The week in security: Budget flags encryption troubles, cross-government IAM
- Human expertise filling endpoint security holes that defunct antivirus tools no longer can