SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Time for Australian technology law overhaul - ACS
Fri, 30th Sep 2022
FYI, this story is more than a year old

ACS, the professional association for Australia's technology sector, has welcomed recent statements from the Prime Minister and Minister for Cyber Security, Claire O'Neil, on the need for revising privacy and cybersecurity laws.

The association, representing more than 35,000 Australian workers, sees the current focus on privacy and security as an opportunity to modernise the legal frameworks governing the technology sector.

"ACS welcomes the government's call for reform of the nation's cybersecurity and privacy regulation in response to the Optus data breach," says Chief Executive Officer Chris Vein.

"Over the past decade we have seen a range of security, data retention, money laundering and privacy legislation to address various problems with little co-ordination between those laws," he says.

"As a consequence, it has been difficult for organisation and technology professionals to follow best practice data management while complying with a myriad of conflicting legislation.

"ACS sees a review in light of the Optus breach as an opportunity to modernise Australia's technology legislation framework with an aim of protecting all Australians while enabling the nations digital champions to compete globally."

Chair of the ACS Cyber Security Committee, Louay Ghashash, says any review must look at enforcing security best practices with substantial penalties for organisations that fail to do so.

"What is the minimum standard for any Australian company to keep their customer data secure? Unfortunately, there isn't a comprehensive and unified standard across the businesses that we can rely on to ensure companies have a good security control," Ghashash says.

"There should be a push from the government to establish minimum standard best practice and require companies handling and dealing with sensitive data to implement; but this is a complex task, it will cause a huge burden on smaller companies to implement and comply, therefore this must be done using a consultative approach."

Ghashash says the standard must be comprehensive enough to cover various types of threats and malicious acts, including companies internal staff behaviour and data handling. 

"For instance, take Australian Cyber Security Centres Essential Eight requirements, Optus breach would probably still have happened even if they had implemented it, as Essential 8 requirements focus on malware and ransomware attacks and don't cover handling sensitive data or exposing it to the internet.

"Additionally, we also have to consider the regulatory burden on companies where they are required to store vast amounts of personal and sensitive data to validate and identify customers in order to comply with legislation.

"There has been for years now payment gateway companies to relieve the burden of companies storing customer credit cards and replace it with token tokenised payment gateways, we should think of adopting similar identity gateway to stop companies from storing personal data and replace it with a token."

ACS says rethinking legislative data collection requirements along with how that information is stored and handled would help reduce the risks of future events on the scale of what has happened to Optus.

Finally, the financial penalties of companies mishandling users personal data should be high, prohibitive and commensurate with the size of the breach, it says.

"ACS is keen to work with the key ministers in the cybersecurity, technology and telecommunications space to ensure we get the best results for all Australians," adds Vein.

"We look forward to working with the government, particularly Ministers Gallagher, Rowland and Husic in developing a legal framework that meets the demands of the 21st century's digital economy."