Many companies may be feeling heightened onus to protect their data from theft as the new notifiable data breaches (NDB) scheme kicks into effect tomorrow, but companies considering broad employee and data monitoring programs will want to proceed carefully despite a global review that found such programs are easier to introduce in Australia than almost any other country.
The NDB scheme imposes potentially harsh penalties on companies that fail to disclose breaches of data that they are required to protect under existing Privacy Act provisions. Its goal is to improve transparency and consumer awareness about potential misuse of their personal data – but its enforcement is likely to catch many companies by surprise given that many remain unaware of it and others are unsure what steps to take to ensure compliance.
“NDB is going to help organisations realise there are unknown threats out there,” said on McGettigan, senior regional director for ANZ and South Pacific islands with Fortinet, in a statement. “With the legislation in place, non-compliance is no longer an option. Businesses who don’t commit to protecting their customer’s data will finally have to face the consequences, and for many this will be a big wake-up call.”
Some will try to tighten their security practices with new employee-monitoring tools, which allow for regular screenshotting and other methods of monitoring everyday activity.
Such tools can potentially highlight cases where inadvertent clicks or movement of sensitive data may have compromised data protections – but an extensive analysis of employee-monitoring legislation warns CSOs considering such actions to ensure they are working in lockstep with legal regulations in every jurisdiction where they function.
Recently completed by legal firm Hogan Lovells in conjunction with Forcepoint, Managing Workforce Cyber Risk in a Global Landscape: A Legal Review analysed the legal frameworks around employee monitoring – which is regulated by data privacy and protection laws, communications secrecy laws, and employment laws – in 15 countries.
Australia’s privacy, workplace and other legislation was easier to navigate than the laws in any other country except the United States – but that doesn’t mean that companies can haphazardly introduce monitoring programs to improve detection of data breaches under NDB, or to meet coming privacy obligations under the European Union general data protection regulation (GDPR) when it takes effect in May.
Companies deploying monitoring tools need to ask themselves four key questions, the analysis recommended, including whether the deployment of the tool or measure is intended to address an identified cyber risk; whether the use of the tool or measure will effectively address the identified risk; whether other tools could be used to address the risk in a manner that would have less impact on employee privacy; and whether the impact on employees’ privacy will outweigh the benefits to the organisation.
Such guidelines are relevant in all kinds of cybersecurity tools deployments, but the expected surge in NDB-related activity over coming months will reinforce their importance for CSOs and other executives working to bolster their organisational controls.
“Whether a particular measure is reasonable will depend, among other things, on the sensitivity of the information collected, the nature of the systems that are being protected, the nature and severity of the threats facing the organisation, and the laws and regulations to which the organisation is subject,” the authors advise while encouraging organisations to document their evaluation of tools to “demonstrate efforts to comply with applicable laws”.
CSOs should not go it alone when developing such programs or implementing tools to improve monitoring in line with NDB’s expectations. Multi-disciplinary teams are crucial for developing policies that stay on the right side of employee-monitoring laws, and security professionals must engage with legal and other stakeholders at every step to ensure that they don’t overstep their responsibilities under the new scheme.
“Compliance is more than just meeting regulation commitments,” Fortinet’s McGettigan said. “It’s about adapting to a threat-aware, risk-based approach. There’s a broad scope of readiness among Australian businesses. NDB will hopefully shift the dial on the way they think about the threats they face and how to prepare for them, how to take the steps to mitigate risks with encryption and secure data before a breach occurs.”