How to plug holes in Australia's privacy law

By Chris Strand, global senior director of compliance, Carbon Black

While Australia's privacy law has made a good start in encouraging better security hygiene, it may not go far enough to get all Australian and partner businesses in line. The privacy act will pressure most Australian business to provide information on sensitive data breaches since it mandates the law on commonwealth government agencies, private sector organisations and relevant businesses.

Its one downside is that the penalties are far below those of many recent privacy mandates. The Australian maximum penalties of $360,000 for individuals or $1.8 million for organisations - and breach disclosure applies only to organisations that exceed $3 million annual turnover. 

This is a far cry from the European Union General Data Protection Regulation (EU GDPR) which applies penalties of up to 4 per cent GDP or up to 20 million euros ($A30 million), whichever is higher!

Big fines are not the only incentive to encourage better security practices, posture and hygiene. Privacy law should help to encourage breach disclosure, with merit given to those that practise privacy by design or who embed security into their data policy.Organisations that can account for their security systems and take steps to ensure they have the right technologies and plans in place to ensure and prove protection, can use solutions that help to expose or protect data, or report on the existing security policy that helps to define their data processes and hierarchy.

There is value in the approach taken by the Australian Signals Directorate (ASD) in actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws. This also promotes the adoption of powerful mitigation techniques while encouraging businesses to move to a better security posture and transparency in data privacy and protection policy.

This is why my company choses to align with the ASD security incident mitigation strategies, as it promotes taking a positive approach to embedding data security into the business process from the outset. The ASD also recommends many essential technologies that can help organisations to automate and accelerate the mission of implementing better data security. Finally, security by default can help to shore up response plans that can be ready in the event of a breach. We have always aligned with security baselines like the ASD, that help to connect the dots between the regulation requirements and the security controls.

 In the case of bettering one's incident response plans, practising the ASD security controls will help to ensure that the proper information is available when the IR process is conducted. Effectively, compliance with the data security mandate is already built into the IR process.

Are Australian capable of providing information on sensitive data breaches?

With the right security solutions and proper preparation around security policy, architecture and implementation, such as proactive assessment, and real time prioritisation of security events, it is possible for organisations to provide the full scope of a data breach.

But I'm not convinced they are quite ready to do this. Given the recent string of data and information breaches worldwide, there is still much to do to ensure breach discovery and report perfection.
Evidence from many recent reports on data breach investigations show that most organisations are not quite to the point of adequate breach intelligence reporting. According to the Ponemon Institute 2017 Cost of Data Breach Study sponsored by IBM, it still takes 214 days to identify a breach root cause, and another 77 days to contain a breach. These numbers are still much too high to align well with the current requirements listed in many data protection regulations that call for 72-hour notification.

Compliance regulation holes

A few obvious holes exist in the major Australian privacy mandates, such as the exclusions of companies under $3 million in turnover. That represents a large proportion of businesses and could account for a significant potential data loss which would not be publicly disclosed. The importance lies in a deficiency in enforcement of the compliance regulations and security controls. With data exploits and losses in the first half of 2017 topping more than the entire year of 2016, we must ensure alignment with the security controls recommended in Australia's compliance regulations.

 The key is to ensure that security controls required by compliance regulations are enforceable and measurable. This has always been a gap in the past, where security and regulations have never filled the breach. At least one security vendor is focusing on directly aligning security technology with regulations to address this gap.

Choosing the ASD as a compliance baseline to help target security controls that need to be in place to protect data is one way that businesses can immediately identify anomalies in the business process, but assure that they have security data on hand necessary to prove that the incident was dealt with proactively and that the security control was enforced as per the data privacy policy of the business.

New technology is also an incipient threat. I believe that submerging tech is putting compliance standards at risk. We have never had a period with more unsupported vulnerable applications and operating systems globally as we do now. Many of the recent major exploits, such as WannaCry were successful by preying on unsupported system vulnerabilities - something that's unacceptable in this age of advanced security technology.
Our own technology has always recommended a defence in depth approach with the proper application control and ironclad protection on the front end. 

Just as the ASD mandates application whitelisting as the #1 mitigation of its essential eight, we advocate that applying a positive security approach that can prioritise events in real time. Enforcing the trust policy will lead to eliminating the risk of vulnerabilities, while automating the process of identifying potential anomalies that target our systems and data.

Carbon Black recommends a defence in depth approach with the proper application control and ironclad protection on the front end. Just as the ASD mandates application whitelisting as it's number one mitigation, we advocate that applying a positive security approach that can prioritise events in real time while enforcing the trust policy will lead to eliminating the risk of vulnerabilities, while automating the process of identifying potential anomalies that target systems and data.

News emerged recently that the ASD utilises Carbon Black technology among its own data security strategies.