Australia to Impose Penalties on Firms 'Lacking Data Security'
By Kalyan Kumar | July 1, 2014 12:55 PM EST
Australia will be setting tougher measures for all violators of data protection, especially those related to personal data security.
Privacy Commissioner Timothy Pilgrim has announced he will take a serious view of any business failing to protect personal data. For stringent actions, he is now armed with the legal teeth of the privacy law effective March 2014 to punish the offenders.
The security issues took a serious turn after the data breach in 2013 at the Australian dating site of Cupid Media Pty Ltd. That opened the can of worms on data security.
Pilgrim publicly said Cupid's information security practices were seen deemed by the provisions of the new Privacy Act in force.
Cupid's story is one of unpatched vulnerabilities and compromises of customer database with personal data stolen and made public. So names, dates of birth, email addresses and passwords of 2,000,000 plus active Australian customers were exposed.
The commissioner observed that password encryption strategies were already available to all firms. They include safeguard measures like hashing and salting and could have been used by Cupid to prevent unauthorized access to user accounts. There was abject failure in taking simple and effective steps and abide by the reasonable security steps required by the privacy law.
If Cupid's data breach occurred after March 12, the day Australia's privacy law came into force would have given the privacy commissioner the teeth to impose huge financial penalties on the offending firm. Although Cupid escaped the penalty, the commissioner asked the company to behave and follow collaborative approach by working with the Office of the Australian Information Commissioner and avoid recurrence of such incidents.
The incident was a timely reminder that personal data is much more explosive than financial data. The serious warning of Pilgrim reminds that the non-technical managers of online businesses will have to stay alert and be proactive with their technical staff.
Verizon Remedy Initiative
With data breaches making news, the Verizon 2014 Data Breach Investigations Report finds two-thirds of breaches happening in lost/stolen user credentials. But business can offset the risk by using a single credential for both the physical and virtual worlds. Verizon will be offering a new service called Smart Credential shortly usable as a single trusted identity to connect the online and physical world.
To contact the editor, e-mail: