L-R - Wade Smith (F5 Networks); Nick Lowe (InfoTrust); Louise Bremberg (Meridian IT); Darren Lynn (Outcomex); Robert Pizzari (Trustwave); Tony Vizza (Sententia); James Wootton (Intalock); David Sykes (Sophos); James Henderson (ARN); Stewart Sim (WebSecure Technologies); Naomi Burley (GRC Institute); Steve Cronan (SecureSoft) and Ken Pang (Content Security)
Within one week, the conversation across the country will have changed, for both customers and partners.
Australia’s data breach notification laws — which will come in effect by 22 February 2018 — impose mandatory investigation and notification requirements on most businesses with an annual turnover greater than $3 million.
Yet most local IT executives remain unprepared to handle the requirements, creating a need for external guidance and advice.
Step forward the channel, who will be called upon to deliver outcome- driven solutions, solid security insights and unparalleled levels of ongoing service.
“This should have been carried out a long time ago but it’s better late than never,” F5 Networks manager of northern partners Wade Smith said. “But there’s a lot of grey areas around the legislation which means that market education is required.
“Will the government come out with a heavy hand? Will the government seek out a large organisation to make an example of?
“We’ve seen government laws come out before and they traditionally focused on the top end of town, but this will impact both the mid-market and small business sectors, and they will require the most help because they don’t have IT departments or resources. There’s huge opportunity for partners to take a leadership position within the market.”
Specifically, the new scheme is designed to strengthen the protections afforded to everyone’s personal information, while improving transparency in the way that the public and private sectors respond to serious data breaches.
In addition, the move will also give individuals the opportunity to take steps to minimise the damage that can result from the unauthorised use of their personal information.
“Is this simply a case of the government being seen to be doing something?” WebSecure Technologies owner Stewart Sim asked. “The trigger point is that this needs to show significant personal harm and from a legal perspective, what does that mean?
“From a compliance perspective, and cynically speaking, is the government only acting because this is causing a lot of pain for a lot of people?
“Until somebody is impacted and is taken to the cleaners, that is when the market will change.”
Currently, the legislation relates to personal information, tax file number information, credit card information, and credit eligibility information deemed to pose “real risk of personal harm”.
Despite the government taking an apparent positive step in a bid to fight cyber crime, the legislation has so far received mixed reviews among channel partners.
“The job of government is to instil confidence,” Intalock cyber security leader James Wootton said. “Whether that means they will pay lip service to it, or spout the same line until somebody sticks to it, nobody quite knows at this stage.
“The law is so woolly which creates opportunities for partners because there will be so much case law developed. There are so many ins for the channel to capitalise on this.”
Customer impact
With the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 establishing a Notifiable Data Breaches (NDB) scheme in Australia, the initiative requires organisations covered by the Australian Privacy Act 1988 to notify any individuals likely to be at risk of serious harm by a data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach, alongside notifying the Australian Information Commissioner.
Consequently, organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
“Most of the customers we work with aren’t aware of the legislation,” Outcomex security practice lead Darren Lynn added. “Within the past 12 months, they have either forgot about it or hold the opinion that their security architect is sufficient enough that they can get around the breach requirements.
“The conversation doesn’t come up from customers at this stage.
