The amendments to the Act are scheduled to come into force on 12 March and will enforce tougher security and privacy requirements on all organisations with an annual turnover of more than $3 million, along with government agencies.
Notable in the changes is the requirement for businesses to go beyond check box compliance where security tools were merely switched on without regard to proper configuration and monitoring; Federal Privacy Commissioner Timothy Pilgrim has stated organisations that fail to detect a breach will fall foul of the amended Act and risk penalty through the courts.
Exactly how far the Office of the Australian Information Commissioner (OAIC) would require organisations to go in purchasing, configuring and monitoring systems is described only as reasonable steps. (pdf Download from Govt Site)
The Privacy Commissioner could impose financial penalties of $1.7 million on serious or repeatedly breached organisations and could compel them to notify national or state newspapers.
CRN spoke to dozens of security and IT managers and engineers, under condition of anonymity. The lack of clarity around the requirement of reasonable steps was a consistent theme.
Only chief security officers at some of the largest Australian organisations claimed the reforms would mean little to them, given their existing strict compliance requirements and large security budgets.
Matt Ramsay, APAC regional director of security vendor Centrify, warned organisations that the uncertainty of the Act was similar to the US Sarbanes-Oxley (SOX) legislation enacted in 2002 to shore up the accuracy of financial reporting.
“While SOX has raised the compliance bar for corporate reporting, it has had the unintended impact of creating a lot of uncertainty because of its lack of precision,” Ramsay said in a statement.
“SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive: It tells you to jump, but not how high. As a result, US corporations need to jump a very high bar indeed to avoid the threat of non-compliance.”
Robson urged caution about conflating the experience of SOX in the US with the new requirements of the Privacy Act.
“The most helpful approach that Privacy Act and security specialists can take in relation to assisting organisations with their new Privacy Act requirements is to provide a sober assessment of what could be reasonably expected of them,” he said.
Source: Darren Pauli CRN 28.1.14
