Story image

Australia’s breach disclosure policy has major holes, expert says

18 Oct 17

Australia’s breach disclosure policy doesn’t go nearly far enough in protecting consumers and pales in comparison to the European Union’s GDPR regulations. In fact, Australian privacy law may not go far enough to bring businesses and their partners in line.

Those are the statements from Carbon Black’s global senior director of compliance, Chris Strand. He believes that while the Privacy Act will pressure Australian organisations to report data breaches, it only applies to certain businesses.

“Its one downside is that the penalties are far below those of many recent privacy mandates. The Australian maximum penalties of $360,000 for individuals or $1.8 million for organisations - and breach disclosure applies only to organisations that exceed $3 million annual turnover,” Strand explains.

Because a large proportion of Australian businesses have less than $3 million annual turnover, this could mean a significant proportion could be exempt from reporting data loss.  

The European Union’s GDPR rules can penalise businesses for the amount which is highest: up to 4% of their GDP or up to 20 million Euros (AU$30 million).

While heavy (or not so heavy) penalties such as fines may scare businesses into compliance, there are other incentives to encourage better security.

Strand believes that privacy law should encourage breach disclosure and reward those that practice privacy by design or make it part of their data policies – including the right protections and plans in place.

These plans should help protect data or report the security policies in place.

He also believes that with the right security and preparation across policy, architecture and implementation, it is possible for organisations to deal with the full scope of a data breach.

“But I’m not convinced they are quite ready to do this today.  Given the recent string of data and information breaches worldwide recently, there is still much to do to ensure breach discovery and report perfection,” he explains.

New technologies are also risking compliance standards, Strand says.

“We have never had a period with more unsupported vulnerable applications and operating systems globally as we do now.  Many of the recent major exploits, such as WannaCry were successful by preying on unsupported system vulnerabilities – something that’s unacceptable in this age of advanced security technology,” he explains.

Strand notes that the Australian Signals Directorate engages with businesses before, during and after the mandatory notification that would be enacted under breach notification laws. It also follows an application whitelisting approach to mitigation.

“This also promotes the adoption of powerful mitigation techniques while encouraging businesses to move to a better security posture and transparency in data privacy and protection policy.”

Strand recommends a defence-in-depth approach with application control and protections.

“Carbon Black advocates that applying a positive security approach that can prioritise events in real time while enforcing the trust policy will lead to eliminating the risk of vulnerabilities, while automating the process of identifying potential anomalies that target systems and data.”

The secret to scaling DevOps in the digital era
"Organisations around the world have learnt at a cost that while agile DevOps methodologies can result in improved outcomes within teams and projects, they have a propensity to fail miserably."
APAC FinTech network launches to encourage cross-border innovation
Nine associations formally launched the network by signing a Statement of Intent at the Asian Financial Forum event in Hong Kong.
New blockchain solution aims to keep our food ethical
OpenSC enables anyone to scan product QR codes which automatically takes them to information about where a specific product’s journey.
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
SUSE partners with Intel and SAP to accelerate IT transformation
SUSE announced support for Intel Optane DC persistent memory with SAP HANA.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."