Security to go under privacy microscope

The federal privacy commissioner intends to clamp down on businesses that neglect security standards following a string of public data breaches this year.

Australian Privacy Commissioner Timothy Pilgrim told ZDNet Australia that future investigations will focus on determining if businesses have adopted baseline privacy and security benchmarks before collecting customer data.

Businesses will need to have constant "strong risk assessment processes" that ensure only necessary customer data is held within corporate systems, he said.

"Businesses need to make sure the privacy protections are strong and are built early into the systems. Information will be vulnerable when the right security controls are not in place, as we found with the Vodafone system."

Privacy probes will examine whether security systems have been "regularly updated" and are designed in accordance with industry benchmarks including ISO 27002:2006.

This year has already seen several breaches and bungles resulting from poor security measures. On Monday, criminals made off with an unknown number of credit card details owned by customers of cosmetics retailer Lush after its Australia and New Zealand websites were cracked.

The breach, blamed on aging IT systems, has triggered an investigation by the privacy office.

Last month, Vodafone Australia was hit with a massive breach of its customer credentials after its staff had sold off log-in credentials used to access its client database. A report by the privacy office into the Vodafone breach was released today.

Also in January, data breaches hit the University of Sydney, the Sydney Festival and Telecom New Zealand.

While companies are raked over the coals by the privacy commissioner, they will lose little more than their reputations, as at the moment the commissioner cannot impose penalties. The Australian Law Reform Commission and the privacy commissioner are pushing to make sanctions possible under pending reviews of the Privacy Act.