When former Prime Minister Kevin Rudd successfully challenged for the Labor leadership earlier this year, on the last day of parliament, most resellers saw little correlation between the fated political square-up and the operation of their business.
But the action had a significant effect on the shape of changes to privacy laws which are set to take effect on March 24 next year. On the day of the challenge, the most contentious of the new privacy laws which was widely predicted to be waved through, was not voted on.
As a result mandatory data breach notification laws will not be included in the 13 new privacy principles which are set to shake up the channel next year. However, the Australian privacy commissioner, Tim Pilgrim, will most certainly be pushing for the amendment to be brought back and it is now a question of how quickly an Abbott government will move on the reform.
Despite this, the changes are still the biggest in the field of privacy in 25 years and channel players need to act now to protect themselves. Pilgrim will be empowered to hand out fines of up to $1.7 million to a company and $370,000 for an individual breaching the 13 rules.
Pilgrim said there were currently no mandatory breach notification laws before parliament and he was not aware of whether the new government planned to re-introduce them. But he will still be holding a very large stick and he’s not afraid to use it.
“I will not be taking a softly, softly approach to these new laws.” he said. “Let’s remember that the public sector has been working with the Privacy Act for nearly 25 years and the private sector have been working with the Privacy Act for over 12 years, so these concepts are not new.
“However, I would also note that since I became privacy commissioner in mid-2010, I have been telling businesses and government that my focus will always be on resolving the majority of complaints via conciliation.”
Five months to go
But, according to Pilgrim, with only five months until the new laws are here, there are a lot of things firms can be doing now to prepare.
“They should be reviewing outsourcing arrangements, particularly if these involve the disclosure of personal information outside Australia.
“Also, direct marketing practices should be reviewed to ensure that new requirements are being considered.”
Controversial and messy
Under the new laws companies that send personal information overseas will be liable for any breaches that occur through an overseas partner under Privacy Principle 8 on cross-border disclosure.
Co-convenor cyberspace law and policy, UNSW law faculty, David Vaile, said this was controversial and messy in terms of interpretation of the new law.
“The practice of the Privacy Commissioner, has generally been not to actually make determinations on complaints, which would be the equivalent of court judgements, so there is little true ‘case law’ to assist determining how the Act will be interpreted,” he said. “The safest approach would be to assume you remain fully responsible [liable]for the handling of personal information by offshore entities.
“So you would want to consider rock solid contracts, very intrusive due diligence as if you were checking out your own security, and regular audits for compliance with Australian privacy law and effective best practice IT security.
“If something goes wrong and you end up carrying the can, every clear effort you made to ensure you are treating the privacy of the data entrusted to you as if it remains in your own hands will tend to count towards the ‘reasonableness’ of your efforts.”
While the mandatory breach laws did not pass through the parliament, Vaile also believes that could a change. “If Australia does not make it mandatory, it is the odd one out, as there are laws to require disclosure in the US and EU, and other places,” he said. “To be safe, make preparations for detecting, recording, disclosing and remedying breaches on the basis that you will probably at a minimum be required to audit it internally, and more likely make appropriate disclosures.
“Be proactive, put in place world’s best practice, most transparent plans so you aren’t caught out looking like you want to hide. Breaches happen, the issue is what you do next.”
Vaile suggested an audit of data that fits with the definition of “personal information” under the Privacy Act, including information from which someone’s identity “could reasonably be ascertained”. This is broader than the US “personally identifying information”, which is not much more than name and address. It could include data such as cookie info, IMEI, MAC address, IP address, location, and many others, when combined in newly available tools especially in the Big Data area.
Thomas Duryea CTO, Rhys Evans, said the lack of court precedents would make the operation of the new laws “ridiculously confusing” until somebody was taken to court.
“From our perspective, I think it’s going to be a big change for the SI industry and it will have to be a lot stricter about how it shares data and who it shares data with,” he said.
“If we start seeing those very large vendors such as Microsoft and EMC changing their compliance on how they share data with the community, that will have an effect on distributors and SI partners.”
Despite the fanfare, one in three Australian businesses are still unaware of the incoming reforms, according to a recent report from cyber-security firm, Clearswift.
Its A/NZ Regional Director, Michael Toms, said encryption, which was already strong in Europe due to stricter privacy laws, could come to the fore to avoid data leakage.
“Your typical encryption of email transmission is quite key to ensuring you’re not getting eavesdropped,” he said.
“But if you’re an organisation which receives unsolicited information that could be deemed to be sensitive it’s your responsibility to deal with that, determine whether it’s information that you should be collecting in your normal business process, but if it isn’t you have to destroy it really quickly.”
He also warned if you were collecting data that was not for your primary purpose of business you could be at risk and recommended increasing the business’ scope in a clearly set out policy.
“The small resellers don’t have the bandwidth for those sorts of policies to be maintained and policed, and if you have got a business process that has been functioning in a certain way for a long time these people are potentially releasing information not knowing that their current business process is broken.
“But you have got a certain amount of leverage as long as you are documenting certain procedures.”
The Missing Link security manager, Aaron Bailey, said client take up was still slow in terms of preparation for the changes.
He said providing education and partnering consultants who could conduct, Privacy Impact Assessments (PIA) was a good starting point.
“These can be conducted either holistically to the clients complete ICT environment as an overview, or during a project lifecycle that implements or updates a system that may handle, hold, access or correct personal information,” he said.
“The channel needs to provide clients with consulting around incident response, data breaches, risk assessment and preventative measures.”