Privacy reform changes are on the horizon, and passing mandatory breach notification legislation looks to be all but a technicality, leading Symantec principal consultant John Reeman to issue a sobering warning: Businesses are out of time.
"This law is coming. The fines are significant. There are no excuses anymore. You need to do something," he said at the Symantec Symposium in Sydney on Tuesday.
The privacy commissioner has already been granted powers to hand down fines to organisations of up to AU$1.7 million for organisations and AU$340,000 for individuals, and a new set of Australian Privacy Principles have been created. These changes come into effect in March next year.
Additionally, mandatory data breach notification legislation has passed through the federal lower house, and is expected to go before the Senate in November.
Reeman warned that some organisations, especially those dealing with direct marketing, could be caught out by the new principles that deal with the collection of solicited and unsolicited personal information, how organisations can use this information, and whether it is "reasonably necessary" to do so.
Reeman takes issue with the language used, saying that the terms are not clear enough and could open organisations to civil penalties and non-compliance.
"A defence agency may or may not be able to get an exemption from all of these points because they are doing what they believe is reasonable with that personal information in the context of their business, and the same goes for commercial, as well."
He also took issue with the principle that deals with cross-border jurisdiction.
"If you're holding private data but you outsource some of your operations maybe to a cloud provider ... then you need to make sure that the people viewing that in other countries are educated and aware of of the privacy principles within Australia, potentially."
Just as Australian legislation can affect how staff work offshore, so too can foreign legislation. Reeman highlighted the proposed changes to the EU Data Privacy Act, which could see organisations fined up to 2 percent of their global profits in the event of a privacy breach.
"If that doesn't wake someone up, I don't know what will."