Australian Privacy Act changes smell SOXish

0

By Matt Ramsay, Centrify Regional Director APACmatt ramsay v

Australian public and private sector organisations risk financial and reputational damage if they fail to address changes to the Australian Privacy Act that take effect in March 2014.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 was introduced to the Australia Parliament in May 2012 and was passed in November that year.

The new act includes a new set of harmonised privacy principles that regulate the handling of personal information by both Australian businesses and government agencies.

Unfortunately, these commendable changes introduce problems that reflect the ambiguity of the Sarbanes-Oxley (SOX) legislation in the US.

Enacted in 2002, the SOX law enhanced standards for US public company boards, management and public accounting firms that required top management to individually certify the accuracy of financial information, applying much more severe penalties for fraudulent financial activity.

While SOX has raised the compliance bar for corporate reporting, it has had the unintended impact of creating a lot of uncertainty because of its lack of precision.

In reviewing the changes to the Australian Privacy Act, I’ve concluded that IT security departments in both public and private sector organisations should take special note of key changes to the law and act now to prepare for March 2014.

The updated act implements 13 new Australian Privacy Principles (APP) replace the existing Information Privacy Principles.

The first major change is that the Privacy Commissioner will gain the power to investigate an organisation’s information security controls without receiving a complaint.

Obviously, to exploit high visibility as a deterrent, the Commissioner is most likely to exercise this power in the case of Tier 1 enterprises such as telcos, banks, or agencies providing critical government services.

Furthermore, the Commissioner can seek civil penalties for serious privacy breaches and accept enforceable undertakings. These penalties, which range from $340,000 for an individual to $1.7 million for an agency, are in addition to reputational brand damage that may result from such an investigation.

To comply with the new provisions of the Privacy Act, organisations need to provide the Commissioner with an assessment of the effectiveness of their controls protecting information systems.

From my review, it is clear that three key principles from this new privacy protection legislation are particularly relevant to IT Security.

APP 1 requires open and transparent management of personal information.  Entities “must” take “reasonable” steps to implement practices, procedures and systems relating to the privacy code.

What makes this smell a little “SOXish” is the imprecision of the term “reasonable steps” to control such as broad area as data access and control, which are essential aspects of information security and cooperation between IT, legal, risk and executive management without any specific guidance as to which internal controls must be assessed.

The second relevant principle, APP 8, establishes an entity’s responsibility for ensuring privacy for cross-border disclosure of personal information. If you don’t comply, you could be liable here.

This may be particularly relevant when an organisation uses Cloud-based services such as Office 365, Salesforce, etc, that can hold personal information yet may not be hosted in country. This scenario raises questions about potential privacy concerns and whether APP8 issues are at play.

The third relevant principle, APP 11, requires that an entity must take “reasonable steps” to protect unauthorised access and disclosure of information.

Again, the term “reasonable steps” is problematic because it is qualitative rather than quantitative.

During the past decade, Sarbanes-Oxley compliance costs and complexity have run out of control in the US. The SOX legislation is prescriptive without being descriptive: It tells you to jump, but not how high.

As a result, US corporations are required to jump a very high bar indeed so they are not threatened with non-compliance.

From March, Australian organisations will face the same dilemma with the new Australian privacy law – they “must take reasonable steps” to demonstrate compliance with the new legislation without a clear understanding of exactly what is required.

This challenge of coping with these changes is exacerbated by two major technology trends that are reshaping how private information is accessed and shared throughout the enterprise – Cloud services and mobility.

With the ubiquity of highly connected pocket-sized devices coupled with Cloud-enabled enterprise applications, private details are potentially more accessible and more vulnerable than at any time in our history.

For organisations to successfully comply with this new legislative environment, they need to ask not ‘what private information should we protect?” but “how should we protect it?”

To successfully comply with the new Australian Privacy Principles without onerous costs and complexity, both public and private sector organisations need to apply precise management of individual identities by embracing approaches such as Single Sign On (SSO) authentication and least privilege access controls.

As well as freeing your staff from needing to remember usernames and passwords and greatly simplifying the de-provisioning Cloud apps by tying all logons back to a single identity store such as Microsoft Active Directory, SSO provides a real-time corporate roadmap of an organisation’s APP compliance.

It is also highly likely that granting administrative privileges to numerous staff, whether at a local machine or wider level, will be regarded as unnecessary, far from best practice and thus entirely inconsistent with compliance to the new Australian Privacy Principles.

Share.