Tighter legislative controls over data security are inevitable in Australia given a worldwide surge in security-related legislation and the growing need for specific data controls, a worldwide analysis of legal obligations around data encryption has warned.
The study, conducted by legal firm FieldFisher and sponsored by security firm Vormetric, forecast a growing requirement for encryption as a result of ever-stricter corporate obligations around the protection of sensitive data.
“We will undoubtedly see the law becoming even more prescriptive over time about the nature of the encryption technologies that must be adopted and rolled out across organisations,” the paper's authors predicted.
The spectrum of security issues facing organisations has expanded and now includes management of access rights and privileges; data segregation; incident detection and threat pattern recognition; auditing; and training.
With cyber-security threat volumes increasing, the report said, companies will increasingly be expected to use security information and event management (SIEM) and other tools to analyse security and IP logs – in addition to what are often explicit requirements to use encryption, as in the ISO27001 global security standard.
“In the US and the EU the development of national cyber security strategies has highlighted the need to implement real-time access control measures to ensure data can be accessed only by those authorised to see it,” the report warns, “and to have in place pattern recognition technologies to capture intelligence post-event to identify anomalous processes and user access patterns.”
Noting that a company that has encrypted its data as a precautionary measure may be recognised for 'safe harbour' protection under US breach disclosure laws, the researchers warn that the progress of legislation may soon remove the optionality of the technology.
“We can expect that an organisation's failure to implement such measures will be met with tough regulatory scrutiny and heavy sanctions,” they conclude.
Evaluating the requirement for encryption within Australia's privacy laws, the report noted that requirements for organisations to take “reasonable steps” to protect personal information include encryption both by implication, and explicitly in the context of “privacy enhancing technologies” such as “robust encryption”.
“Encryption is likely to be considered a reasonable measure to implement in order to protect personal information,” the report's authors conclude.
Newly implemented changes to the Privacy Act, which came into effect in March, will implement stricter technological requirements around the protection of sensitive data. Part IIIA of the Act, the report notes, spells out the Credit Reporting Privacy Code – which requires credit reporting bodies to “surround the information with appropriate technical and organisational security” to put the information they keep “beyond use”.
“While encryption is not listed as a specific method of ensuring information is 'beyond use', the report says, “the inference is clear.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.