PCI DSS/ Security Compliance
Australia’s New Privacy Laws, Important Insights
The reforms to the federal Privacy Act include significant changes to the existing privacy principles which apply to private and public sector organisations and businesses. The new laws place more noteworthy obligations on Australian companies to guarantee that they have thorough and transparent practices, methods and approaches in regards to protection of customer information.
Accordingly, a review of current protection approaches should be undertaken to ensure compliance with the new laws.
On March 12th 2014, Australia strengthened its Privacy Act by making significant changes to:
● The Australian Privacy Principles (APP’s) which applies to both Government agencies and the private sector
● Credit reporting for consumer credit
● The Australian Information Commissioner’s power and function
● The privacy and credit reporting codes, including those binding on specified organisations and agencies
What are the new Australian Privacy Principles (APP’s)?
The key changes to the act are:
● The types of personal information that an organisation collects and holds;
● How the organisation collects and holds personal information;
● To whom the organisation discloses personal information; and
● If the organisation is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located.
2. Cross-border disclosure of personal information organisations, before disclosing personal information to an overseas recipient, to take reasonable steps to ensure the overseas recipient does not breach the APPs (subject to specified exceptions).
3. Collection of unsolicited personal information where an organisation receives unsolicited personal information (for example, through a social media platform), it must determine within a reasonable period whether that personal information could have been collected lawfully. If not, then the unsolicited personal information must be destroyed.
4. Credit Reporting – the changes have brought about more simplified and enhanced processes and the introduction of civil penalties for breaches of certain credit reporting provisions.
5. Collection of sensitive information – under the new rules, sensitive information, including, for example, medical and health records or details of criminal prosecutions may (subject to certain exceptions) only be collected by an organisation if the individual has consented to the collection and the information is reasonably necessary.
In addition to these changes, the Privacy Commissioner, who is in charge of monitoring and enforcing breaches of the new rules, has been provided with a range of new powers including the power to:
● Conduct an assessment of whether the personal information held by an organisation is being kept in accordance with the APPs;
● Make various determinations relating to the acts and practices of an organisation, such as compensation.
● Accept enforceable undertakings by organisations in respect of breaches of the Privacy Act.
● Undertakings could include the payment of a fine, implementation of new systems and procedures, privacy training for staff, compliance reporting and audits; and
● Apply for civil penalty orders for serious or repeated offences of up to a$340,000 for individuals and a$1.7 million for corporations.
Under the new budget, the Office of the Australian Information Commissioner (OAIC) is to be closed in January 2015, please note however that the new privacy requirements will still apply thereafter. The organisational structure and offices of the Privacy commissioner may change, but the requirements do not. We note also from David Braue’s article in Information Security ANZ that the privacy commissioner’s office is anything, but dormant in Australia “In the four years of its existence the OAIC closed 5,303 privacy complaints, handled 40,584 phone, and written enquiries, received 193 data breach notifications and conducted 91 own-motion investigations and 10 audits” including the fines imposed on Telstra, following publication of personal information.
The rise of Cybercrime is creating legitimate business risk and privacy concerns for Australians.
There’s enough information available now, which highlights that Australian merchants capture and store huge amounts of personal information, including financially sensitive information.
One of the more recent media articles on the topic of data breaches, focus on Catch of the Day, whereby customer data had been stolen three years ago. This demonstrates the importance of data protection and the need for prompt notification, particularly to the customers affected.
It is vital that organisations dealing with personal information are sophisticated enough to have a plan in place. This triggers the need to immediately notify affected users. Catch of the Day’s failure to inform users of a data breach that occurred three years ago suggests the online retailer wasn’t appropriately prepared. This will most definitely have a negative impact on the brand, as more customers rate trust as one of the main factors when shopping online.
A mandatory data breach notification law will encourage businesses to protect themselves from significant financial losses and the silent epidemic affecting companies in Australia, Europe and the United States (please note mandatory data breach legislation while proposed by parliament has yet to be passed).
Businesses should already have policies and procedures in place to ensure the information they hold is protected from data breaches, including notification where there is a risk of serious harm to affected people. In practice, however the data paints an entirely different story, the event and costs of computer-based crime continues to grow significantly in Australia.
Securing a business does incur costs of course but not protecting your business appropriately could cost you, your clients, your reputation and ultimately your business. The global landscape is changing and changing fast and it’s the Australian government’s responsibility to educate and encourage protection in these changing times. The fact that consumers are not being notified when their data is stolen is unacceptable.
Cyber security threats are increasing rapidly, causing many companies to struggle with security and legislative compliance.
At the same time, businesses must support an explosion of new technologies and find ways to handle and protect large volumes of sensitive data. Businesses require solutions which achieve optimal business performance, staff productivity, comprehensive security of sensitive data and control of their digital interactions in one simple, cost effective service, our professional services assist companies to navigate the security landscape to achieve both PCI DSS Compliance and/or facilitate compliance with Australia’s Privacy requirements.
Organisations that embrace solutions regarding data security and the new privacy laws can increase customer satisfaction, reduce costs, secure the business infrastructure, foster a better working environment and broaden service options. It’s a compelling opportunity for businesses to leverage security and compliance investments to maximise returns for the business. In short, certified cloud-based services are available which reduce compliance costs, secure customer data and payment processes while offering opportunities to improving the customer experience – improving the bottom line for business.
Contact us and discover why some of the largest merchants in Australia trust us, to achieve and maintain PCI DSS compliance.
The benefits of mandatory data breach notification laws in Australia
Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitiveinformation. And it
Cost of data breach report (with Australian Statistics)
Ponemon Institute 2013 Cost of Data Breach report The 2013 Cost of Data Breach report published by the Ponemon Institute (sponsored by Symantec) revea
Credit card data discovery tools lay the foundation for good data security
Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of da