For Australian companies and the overseas businesses that deal with them, March 12 is an important deadline. That’s the day when Australia’s 13 new Australian Privacy Principles (APPs) replace the country’s Information Privacy Principles and National Privacy Principles. The change comes with greater authority on behalf of the Office of the Australian Information Commissioner to investigate compliance violations and levy penalties—up to $1.7M AUS in some cases. And some of the APPs put cloud security and cloud computing security risks in the spotlight.
Under the APPs, customers’ protected personal data should only be stored when necessary and must be accompanied with documentation regarding how the data was collected. Australian businesses must scramble to clean house, of course. They must also put in place mechanisms to ensure the reliable and thorough destruction of customer data as needed in the future.
When it comes to cloud computing security, we recommend exclusive enterprise access to encryption keys as a must-have starting point. That way, when data must be deleted, deleting the encryption key itself will do the job.
The APPs also bring attention to hacking and cyberattacks against businesses. At first glance, the regulations may seem favorable to businesses: “where a company’s systems are hacked or otherwise subject to unauthorized access by a third party, this will not amount to disclosure by the company (and the company will not be on the hook for non-compliance with the APPs),” according to Mondaq.com…but only if the companies have taken reasonable steps to guard against attacks. Australian businesses must not consider themselves off the hook for data breaches. Exemption from fines isn’t the same thing as exemption from the brand damage caused by a breach, and customers won’t consider that brand damage a shared responsibility. If Company A gathered their information and got hacked, they will still blame Company A.
Cloud security issues are serious in Australia, since “the Asia Pacific Region has recently become the world’s leading cyber-attack target,” according to CSO.com Australia. To be in the clear, Australian businesses must lock down their cloud security through strict access controls, cloud malware protection, cloud data loss prevention, and activity monitoring and anomaly detection, which form integral parts of CipherCloud’s cloud information protection platform.
Finally, the APPs clearly hold Australian businesses responsible for any breaches committed by their offshore suppliers if the Australian businesses haven’t made reasonably sure their customers’ information is protected. This is in line with many other data privacy regulations. Typically, businesses are liable even if their data breaches were due to attacks on their third-party cloud service providers. The idea is that businesses should be aware of cloud computing security risks and take measures to mitigate them and protect their customer data, rather than trusting third parties to do the heavy lifting. At CipherCloud, we believe that the best way to mitigate cloud security risks is to protect data with strong encryption before it ever leaves company premises and continue protecting it in the cloud, whether it’s at rest or in use. Strong encryption, combined with exclusive enterprise access to encryption keys, will minimize the risk of breaches and maximize cloud computing confidence.
The lesson of the approaching APPs is clear. To stay on the right side of the law, Australian businesses must take control of their cloud security. If they don’t, they’ll have to face the consequences.
What do the APPs mean for your business? Let us know in the comments.