With GDPR the focus of many press headlines across the world, you’d think it was the first and only regulation covering the privacy of individuals! However, privacy regulations exist in numerous countries around the globe, and anyone in Australia or its territories will be all-too familiar with the Australian Privacy Act 1988 (which, for simplicity, I'll just refer to as 'the Privacy Act' from this point forward).
Governed by the Office of the Australian Information Commissioner (OAIC), the Privacy Act introduces 13 Privacy Principles (known as Australian Privacy Principles, or APPs) that guide how the personal information of Australian subjects must be managed. Failure to protect personal information is deemed, “...an interference with the privacy of an individual,” with financial penalties that can go up to AUD$360,000 for individuals, and up to AUD$1.8M for organizations.
What’s top of mind for many who are subject to the Privacy Act is a new amendment -- the Privacy Amendment (Notifiable Data Breaches) Act of 2017. Inspired by the proliferation of personal information stored in electronic form, such as social media content, healthcare records, and more, the amendment acknowledges the increasing risk (and occurrences) relating to breaches of that data.
Starting 22 February 2018, the amendment introduces the Notifiable Data Breaches (NDB) scheme. This requires organizations to notify individuals of an ‘eligible data breach,’ which is defined as when BOTH the following conditions are met:
An individual’s personal information has been subject to unauthorized access, disclosure, or loss; and
The breach is likely to result in serious harm to that individual.
Who Needs To Comply with the Australian Privacy Act?
The Privacy Act applies to all Australian government agencies, businesses, and non-profit organizations with an annual turnover of more than AUD $3 million.
In addition, small businesses and organizations with an annual turnover less than AUD$3 million who fall into the following categories must also comply with the Privacy Act:
Private sector health service providers including:
Traditional healthcare providers (hospitals, day surgeries, medical practitioners, pharmacists, health professionals).
Complementary therapists, such as naturopaths and chiropractors.
Gyms and weight-loss clinics.
Child care centers, and private educational institutions.
Businesses that sell or purchase personal information including consumer credit information, credit providers (including energy and water utilities and telecommunications providers), and tax file numbers.
What Happens if a Breach of Personal Information is Suspected?
When a breach of personal information is suspected, organizations subject to the Privacy Act must:
Immediately start an investigation to determine the nature, extent, and severity of the breach.
Make all reasonable steps to complete the assessment within 30 calendar days from the day after a breach is suspected.
The Privacy Act is not prescriptive in how an investigation is conducted, but the OAIC recommends a three-stage process:
Initiate to determine if an assessment is necessary, and who is responsible to complete that assessment.
Investigate the breach, including what personal information is affected, who may have had access to the information, and what the likely impacts might be.
Evaluate whether the identified breach is an eligible data breach.
If the breach is deemed an eligible data breach, the individual(s) affected must be notified.
‘Reasonable Steps’ To Protect Personal Data
In January 2015, the OAIC published the Guide to Securing Personal Information to advise organizations on what to implement to protect personal information. Part B of this document outlines a mix of administrative and technical controls across the following nine broad topics, which together are deemed the ‘reasonable steps’ that any entity subject to the Privacy Act is expected to put into place.
Governance, culture, and training
Internal practices, procedures, and systems
Third party providers (including cloud computing)
Destruction and de-identification
In addition, some agencies may be subject to even more protections for personal information, such as security provisions, that may be covered within requirements of other frameworks such as the Australian Government's Protective Security Policy Framework, and the Information Security Manual. Both these documents are designed for governmental agencies, but can be used as guidance for any organization.
To effectively manage cybersecurity risk and satisfy the technical security controls required by this Privacy Act, an organization would conceivably have to procure and deploy multiple point security solutions. In addition, investigating suspected breaches using a myriad of tools can be challenging, especially considering the 30 calendar-day window within which an investigation must be completed. Alternatively, organizations can pursue a unified solution that combines multiple essential security technologies into a single platform with a single management console. AlienVault USM does just that.
How AlienVault USM Helps Support Compliance with the Privacy Act
While many of the APPs focus on administrative controls and process for the collection of personal information, APP 11 (security of personal information) talks to organizations implementing the ‘reasonable steps’ which the above-mentioned OAIC document outlines.
AlienVault USM provides multiple essential security capabilities in a single solution, enabling you to satisfy many of the ‘reasonable steps’ outlined by the OAIC to meet APP 11, as well as accelerate investigations into suspected breaches to meet the 30 calendar-day window. In one unified solution, you get:
Asset Discovery: Know who and what is connected to your cloud, on-premises, and hybrid environments at all times.
Vulnerability Assessment: Know where vulnerabilities exist to avoid exploitation and compromise.
Intrusion Detection: Continuously monitor your networks, hosts, and cloud environments to detect anomalies and attacks like malware, ransomware, and brute force authentication.
Behavioral Monitoring: Identify suspicious user and administrator behaviors that could indicate an insider threat or account compromise.
Orchestrated Incident Response: Quickly contain and mitigate discovered threats through orchestrated and automated actions.
SIEM Log Management & Reporting: Aggregate, retain, and enable investigation and analysis of security event data from across your network.
Integrated Threat Intelligence: Receive continuously updated threat intelligence from the AlienVault Labs Security Research Team and the AlienVault Open Threat Exchange® (OTX™), including correlation directives, vulnerability signatures, indicators of compromise, guided threat responses, and more.
For a detailed mapping of how AlienVault USM can be used to demonstrate compliance with the ‘reasonable steps’, check out:
Our solution brief, “Accelerate Compliance with the Australian Privacy Act 1988 Using AlienVault® Unified Security Management® (USM).” This guide will provide examples of how AlienVault USM helps you comply with many of the ‘reasonable steps’ where technical controls are described, particularly: Internal Practices, Procedures and Systems; ICT Security; Access Security; and Third Party Providers (including cloud computing).
Our online demo environment, where you can explore the capabilities of AlienVault USM, and see how it can help accelerate your security and compliance efforts.