The Australian Privacy Commissioner will take into account the size of an organisation's wallet when it cracks down on hacked companies under the tougher Privacy Act set to come into force next week.
Small organisations across Australia with revenues above $3 million will breathe a collective sigh of relief at the news that they will not be punished with fines and regular compliance audits simply because they lacked the resources to invest in high-end security technology and processes.
Until today, organisations were instructed only to deploy 'reasonable' security measures to protect sensitive customer data.
They were also told by the Privacy Office that scrimping on security for sensitive customer data, should an organisation be breached, would result in a black mark by the Office and heighten the chance of costly regular government audits.
Adding fuel to the fire, organisations were warned by Federal Privacy Commissioner Timothy Pilgrim to "hit the ground running" with compliance and not expect extensions.
The reforms that consolidate Australia's disparate privacy laws were recommended in a 2008 landmark report by the Australian Law Reform Commission, passed into law in 2011, and come into force on March 12.
Security professionals and IT managers at dozens of Australian organisations - including some of the nation's largest household names, independent stores and government agencies - spoke on condition of anonymity about their fears for what the act holds.
Since draft guidance for the reforms was released late last year, they were collectively unsure of what was required at minimum to keep privacy auditors at bay.
They also took bets on whether the Office would strike hard and fast come March 12 and make an example through the courts of the first hacked organisation to fall foul of the act.
In an effort to quell some of these concerns and what he deemed a misreading of the Amendments by this publication, Commissioner Pilgrim said the Office would, despite its tougher approach to compliance, consider the resources of any organisation that breaches the new Act.
"We would take into account the size of an organisation, but it is only one factor," Pilgrim told SC, adding that more resourced organisations must ensure security platforms are properly configured and monitored, and not just turned on in the style of check box compliance.
"We would be looking at what [security and risk] standards have been applied ... to see what may be applicable to the size of the entity in terms of availability of systems and their cost," he said.
"At the end of the day an organisation can't be excused for [not] taking particular steps to protect the information they have -- they must be taking some steps."
Hacked organisations that have failed to fix basic security flaws will receive little sympathy regardless if they approach the office with out-turned pockets. Organisations that allow, for example, hackers to break into their infrastructure because they ran an unpatched instance of ColdFusion would fall foul of the Act.
IPSec director of operations Ben Robson said organisations will likely take little action to comply until precedents are set.
"The practical consequence of this, I believe, is that Australian organisations will take modest steps towards privacy protections but will not be fully committed to compliance until there are sufficient rulings against organisations of a similar size to their own," Robson said.
"That is to say, that smaller organisations will largely ignore rulings against larger organisations and larger organisations will probably already have in place what is expected of smaller organisations."
It appears unlikely that the Office will seek to make an example of the first company to be breached. The initial months following March 12 will see the Office "working with entities to ensure" organisations and agencies "understand the new requirements and have the systems in place to meet them".
It would adopt "an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements".
Small business unlikely to invest
Large Australian organisations including banks, telcos, retail chains, insurers and government agencies have implemented privacy reform and review schemes with some mulling plans to rip and replace customer database management systems.
But tech representatives for the small end of town have warned those businesses were unaware or uninterested in investing to comply with the reforms.
Sense of Security southern region business manager Aarron Spinley said the first point of difference between how large and small organisations comply to the new Act will be in the execution of policies.
"In regard to the potential or perceived disparity between the assessment of large versus small organisations, the first real measure is likely to be the presence or absence of any overriding governance arrangements," Spinley said.
"Policy statements may not differ between large and small organisations, but the way that policy is implemented will."
Pilgrim said organisations voluntarily confessing breaches to the office and alerting compromised users -- in lieu of the scuppered mandatory reporting scheme -- would be considered to have taken at least one 'reasonable step' to comply with the Act. The office received about 30 voluntary data breach notifications from organisations in the current financial year.
He advocated organisations to initiate privacy and impact assessments to determine where sensitive customer information lies, who could access it, and what were the risks of holding that information.
Smaller organisations unsure of where to start in terms of compliance should look to ISO security and risk standards, Pilgrim said.
Organisations should note that dangers lurk not in fines but in the impact of the security exposures leading to breaches, according to Distribution Central managing director Nick Verykios.
"When the focus is on fines, legislation and compliance, the security policy is significantly compromised," Verykios said.
"Because security problems, any kind and inclusive of data leakage and those associated to privacy legislation, can bring an entire organisation to a standstill or down for good. That is the historic truth."
He said it would be positive if the threat of fines under the Act served to push organisations to update their data security policies and strategies to address security threats.