Privacy Act's first year fosters new openness and promotes new levels of accountability.

It may have been over a year since a major overhaul of Australia's privacy laws pressured organisations to manage sensitive information better, but professional security service providers are still helping customers come to grips with the new laws.

One expert believes the changes to the Privacy Act 1988 – which saw two previously disparate sets of regulations for the protection of personally identifiable information (PII) combined into one 13-point set of Australian Privacy Principles (APPs) – are fostering a new level of openness that that may pave the way toward breach notification laws being introduced in Australia within the next two years.

“The last year has been a period where there has been a higher level of engagement with our customers talking about issues associated with the revised Act,” explains Alan Coburn, security and risk consulting manager for Asia-Pacific and Japan with information security services provider Dell SecureWorks.

While many of those discussions relate to individual organisations' responsibilities under the new guidelines, a growing number of them come from organisations that are using the passage of the new legislation as a trigger to revisit long-standing policies around the protection of PII.

“We are beginning to have different conversations with our customers, there seems to be a dawning realisation that they need to change the way they look at their responsibilities for protecting customer data, that is beyond what is spurred by legislation and regulation”. “The APPs are really a manifestation of other good security practices around things like data classification,” Coburn continues, noting strong demand for privacy-related consulting services from Dell SecureWorks' who are, among other things, Governance, Risk and Compliance (GRC) specialists.

“Taking care of confidential, private and sensitive information is part and parcel of conversations we have always had with our clients,” he adds, “but we are now having more in-depth, mature conversations that indicate that businesses are taking information governance and their security posture more seriously. In the last year in Australia, we have seen a change in the type of conversations we are having; for the first time, we are seeing organisations reaching out to us and asking for more focused assistance with their security problems across all of our services.”

Just what form that assistance takes, varies widely and depends on the particular vulnerabilities and requirements of each organisation's particular operating environment. However, since the APPs became law on 12 March 2014, they seem to have fostered a new openness that is helping Dell SecureWorks’ staff engage with its clients on the topic of PII protection in a more meaningful way, according to Coburn. A recent admission by telecommunications giant SingTel Optus, that some 300,000 customers' private information had been compromised in three separate incidents, was notable in that it resulted in the first-ever enforceable undertaking – in this instance, a security review process - to be issued by privacy commissioner Timothy Pilgrim through his office, the Office of the Australian Information Commissioner (OAIC).

Pilgrim recently indicated that he was “pleased” with the progress made towards compliance with the new laws, noting upon the OAIC's first annual review of the new legislation that the OAIC had received 4016 privacy complaints in the new legislation's first year.

The OAIC worked with 13 organisations to undergo formal privacy assessments, while some 104 voluntary data breach notifications were received during the year.

It is this last statistic that has Coburn optimistic that the growing culture of openness around PII protections has set the stage for the eventual introduction of mandatory data breach requirements in Australia as has already happened in other countries.

Such legislation is seems much more likely the wake of heightened discussions about it across Australian business and legal spheres, with Pilgrim among those raising the prospect of such laws on several occasions over the past year.

The OAIC's enforceable undertaking against Optus, which did not include financial penalties despite their being within the scope of the OAIC's jurisdiction, repeatedly lauded the cooperation of the telecommunications giant during the investigation of its breaches.

Among several penalties, Optus was ordered to review the IT architecture of its 20 most risk-exposed systems, rectify any identified issues, and have its compliance certified within 18 months.

Read more: Can funding open source bug bounties save Europe from mass-surveillance?

Other organisations have been less forthcoming about their breaches. Online retailer CatchOfTheDay, for one, took several years to reveal that its systems were breached in May 2011, arguing that the hashed passwords were safe until recent “technological advances means there is an increasing risk that those hashed passwords may become compromised.”

Pilgrim's recognition of Optus' cooperation may provide solace for other companies concerned about confessing about their own breaches, Coburn says, noting that the proactive and productive dialogue between Optus and the OAIC reflects a new era of openness on breach sharing by Australian business.

“Organisations in Australia are suffering the same kind of intrusions, attacks and resulting breaches that we see elsewhere around the world,” he explains.

“The commissioner is trying to foster an atmosphere of organisations being able to feel more confident about disclosing information, and we're seeing that organisations in Australia are beginning to do the right thing.”

Read more: How responsible are employees for data breaches and how do you stop them?

Improved transparency around breaches comes none too soon: report after report confirms that the overall threat from online attackers continues to grow, with ransomware in particular posing a massive threat to Australian businesses and consumers.

A perennial challenge in minimising exposure to ransomware is managing the considerable human element involved in repelling successful ransomware attacks – which often sees Dell SecureWorks engaged not in discussion around technology, but around “the people and process elements,” around good incident response management Coburn says.

Another significant challenge in the disclosure process – and another reason why more openness about PII exposure will improve companies' overall privacy posture significantly – is figuring out just what data an organisation is handling.

“Some of them struggle to really put their finger on the kinds of information that they acquire, how they store it and where,” Coburn says.

In terms of incident response, that can lead to drawn-out investigations where a lot of time can be spent trying to find the data that’s been targeted and then collect the associated security event information that helps track down the bad guys and figure out what they took.

In the event of a breach, the proverbial clock is already ticking – which makes such delays a significant obstacle. Better information governance, and preparation for breaches through better incident response processes and procedures, can help shorten the time to action by helping the teams “hit the ground running as soon as we hit the door,” Coburn says.

“These are costly events and the last thing you want to do is to waste time hunting down log information rather than hunting the bad guys.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.

Start Survey Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Alan Coburnprivacy actPrivacy Act 1988Dell SecureWorksSingtel OptusIT SecurityCatchofthedayCSO AustraliagovernanceRisk and Compliance (GRC)Timothy PilgrimAustralian Information Commissioner (OAIC)Australian Privacy Principles (APPs)Australia's privacy lawsransomware

More about CSODellEnex TestLabOptusSecureWorksSingTel OptusVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts