The channel seems as mixed in its adoption of Privacy Act reforms now as it was confused about the changes when they were introduced on March 12 with much huffing and puffing and the odd threat.
Depending on who you talk to – on and off record – there is either a stack of companies wandering around in some post-Privacy reform wilderness untouched so far by Privacy Commissioner, Timothy Pilgrim, but still to adopt or adapt, or the reforms have been smoothly absorbed into daily channel workings by a significant number of businesses.
Even Pilgrim, who was quite talkative when the reforms were launched, warning that he would not take a “softly, softly” approach, has now gone quiet and had nothing to say to ARN this time. As the new Australian Privacy Principles (APP) slotted in, he offered reassurances that he “would always start by trying to resolve matters through conciliation”. But he also said once the changes came into effect, he could let himself in the door at “any time”.
On the day of the implementation, market research specialist, Core Data, reported that a third of small to medium-sized businesses were oblivious to the changes to the Privacy Act. In July, the firm’s principal, Andrew Inwood, revealed about 60 per cent of the decision makers it surveyed more recently remain unaware of the potential impact of the changes.
While the consequences have been reiterated - a fine of up to $1.7 million for those found repeatedly responsible for malpractice resulting in breaches - parts of the channel remain blinkered.
“My view is that a lot of people have done nothing,” Distribution Central executive chairman, Scott Frew, said. “There’s been a number of changes across both businesses that I own [DC and iAsset.com], but I think that generally, the IT market has not responded.
“I have not seen a lot of communication within the channel about the privacy act per se, and I am concerned that there are some organisations which have not taken this change seriously enough, and have not gone through the process of getting advice to protect the privacy of data. All you need is one customer that gets upset about its private data, and an organisation could be in a world of strife.”
The big guns have, for the most part, got it together (or at least claim to). Those with a prominent foothold in the Australian market (including global players with a physical local presence), security vendors, and resellers which specialise in security services have made investments in adapting compliance as part of constantly-evolving policies to minimise the risk of suffering a breach via attack or negligence. Whether complete prevention is possible is another matter.
Smaller resellers on the other hand are looking at means of remaining profitable in a growingly dense market, and do not have the time or inclination to invest heavily in compliance if it can be avoided, according to Frew.
“The response to the Privacy Act is kind of like widening the digital divide, so to speak,” IBRS advisor, James Turner, said. “Organisations that have a high degree of risk maturity - those that have good governance processes in place - have projects in the final stages. “For the ones that are not getting active, it has got to be a bit of complacency.”
Turner warns those businesses that are not yet proactive that the brand damage incurred as a result of a breach could be far more lethal than the dollar penalty handed down by the Commissioner. While he maintains any breach is the attacker’s fault, Turner said “waiting three years” (figuratively) to resolve sny non-compliance is unacceptable. Proof of preventative measures could be the difference between recovery and plunder.
“Can a small organisation recover? Yes, but everything depends on what an organisation did before and after the breach. If it has taken reasonable steps beforehand and is being communicative afterwards in terms of how it engages with stakeholders, it is recoverable, but will still take something,” he said.
Turner forecasts breaches from both within and outside the IT industry, and said an interesting discussion point is how organisations will deal with an employee who makes a mistake that puts the business in breach of the Act. “What disciplinary measures will be put in place? You cannot just fire somebody because they will come back and say they did not receive training.”
The level of adaptation to attain compliance with the Act’s amendments relies on the business itself. Service management provider, Dark Horse Systems, does not capture personal information of individuals, but handles that of its company clients. Adjusting to the change did not take much, according to director, Elie O’Han.
“It wasn’t a big issue. One of our senior staff attended a project management course and we applied what was said to our business,” O’Han said. “We made a few minor adjustments.
“We had to make sure we had the SSL certificates in place, and ensure that any parts of our systems where we had access to credit card information for customers’ accounts were protected, and that’s primarily in the Cloud services we provide.”
Although Dark Horse Systems claims no complications, businesses which continue to be most vulnerable are those with the highest value personal information and the weakest set of controls securing that data, as Missing Link security manager, Aaron Bailey, said earlier this year.
It has been five months since the amended legislation came into effect, and a concise indication of the channel’s compliance is as mixed and mysterious as it was in March. That is a conclusion based on the input of resellers, vendors, and distributors which have not shut the doors on providing insight; a number of organisations in the IT industry - including some very common names across hardware, software, and telecommunications - prefer to steer clear of the public discussion. On the flipside, many are quick to stake their security claim, although the effectiveness of policies can only be determined over time.
As IBRS outlines in its June 2014 Privacy Act amendments: what leading organisations are doing report, some organisations have been proactive and subsequently spent hundreds of thousands of dollars to ensure compliance. A small number are covered by their international parents, but others have not yet started reviewing internal processes - all within what has been described as a disclosure regime rather than a consent one.
The fact that the document is not an easy one to read for all but lawyers will not hold up in court.
What to do if you haven't already done it
CA Technologies’ advice to partners is to assess visibility and control, two overlapping elements.
“We encourage partners to ask, ‘what and where is that personally identifiable information and, more importantly, who has access to it?’ Those questions are quite difficult to answer for a lot of organisations… but that visibility is important because it creates a lot of conversation in terms of where an organisation has got controls in place,” CA Technologies A/NZ solution strategist, Trevor Iverach, said.
According to Iverach, organisations should then consider whether there are any controls in place around the extent of data which administrators can access on a server in order to fulfill their role without exposing personally identifiable information.
“When the Commissioner comes and talks to you and says you have breached the Privacy Act, if you have information that shows what happened and how you will prevent it from happening, it will go a long way to reducing the penalty,” he said.