Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

April 3, 2013

Thinking of moving to the cloud?

If your business is thinking of using a remote hardware or software service (eg over the Internet) instead of one run on a server in your own premises then here are some issues for you to consider, apart from the commercial issues of price, service and support:

  • will your business be able to continue if there is a loss of cloud computing services?
  • what protections are there for the confidentiality of business and customer data?

How do you manage the risks? Apart from specific contractual provisions (which we can advise you on):

  • Find out where the servers and the back up servers are located
  • What are the guaranteed service levels? What rebate do you get for downtime? Even Google, Amazon and Microsoft have downtime: see here
  • What happens to your data when the licence ends? Will it be deleted?
  • What is your exit strategy, including extracting data after termination (what format is it in?)
  • Are you able to back up your data continuously to your own local site?
  • Does the service comply with Australian privacy laws (especially if the servers are overseas)? Are there adequate systems and
    procedures in place to protect the privacy of your information?

Whilst there are advantages in cloud services (eg savings on capital and maintenance costs of your own servers), there are risks you need to understand and manage.

Print This Post Print This Post

Posted 3rd April 2013 by David Jacobson in Legal, Risk management, Web/Tech

June 14, 2011

RSA’s bank security tokens and data breach notifications

The RSA cyber attacks resulted in RSA warning its customers of the risk to RSA's SecurID two-factor authentication products, including the security tokens RSA's customers provide to their customers.

Whilst RSA argues the data breach risk was low, there is a major reputational risk.

This has lead to reports that Westpac, ANZ, NAB and CBA as well as the ATO will replace the security tokens they have issued to their customers.

It is still not clear what information has been obtained from RSA but clearly its customers are not taking chances.

Print This Post Print This Post

Posted 14th June 2011 by David Jacobson in Legal, Risk management

October 8, 2008

Data breach notifications

If your mobile loans officer's laptop computer is stolen from the back of his car, do you know what information is stored on it?

How do you decide whether to tell members whose information was stored on the computer? What are your procedures for notifying your members that their personal information is at risk and that they might be subject to identity fraud? Who else should you notify (eg police, Privacy Commissioner, your insurer)?

The same questions could be asked in respect of a lost flash drive (memory stick) with your staff's personal details, a stolen box with out of date credit reports or a CD left in an airport computer.

Whilst there is no mandatory data breach notification law in Australia yet, the Privacy Commissioner has issued a Voluntary Data Breach Notification Guide.

If you don't yet have a policy on these issues, the Guide contains an excellent framework for decision making and good sample scenarios.

Print This Post Print This Post

Posted 8th October 2008 by David Jacobson in Risk management

August 26, 2008

Privacy and data breach notification

The recent ALRC Privacy Law report noted that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.

Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.

The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.

The government has indicated it will deal with this issue in the second stage of its response in the next 12 to 18 months.

In the meantime, the Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).

Step 3: Consider notification

Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals.

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response. 

Print This Post Print This Post

Posted 26th August 2008 by David Jacobson in Risk management

August 22, 2008

What risk management procedures do your third party providers have?

Imagine the response if your customers received someone else's account details in a letter addressed to them.

That is what happened to customers of Goldfish, a credit card subsidiary of Barclays (Telegraph UK).

According to ComputerWeekly a processing error at the printer the company uses to process statements meant the statements were printed
incorrectly. The front page was correct, but subsequent pages contained
the account information of other people.

What procedures do your contractors have to avoid these types of errors? How do you monitor them? (Some of my clients have "dummy members" so they see every mail out). How often do you audit their procedures?

And if something goes wrong do you have a rapid response plan?

Print This Post Print This Post

Posted 22nd August 2008 by David Jacobson in Risk management

July 13, 2008

Physical security: a privacy risk

In my reviews of organisations I often find that a lack of physical security is the most likely compliance risk. For example files left on desks, filing cabinet keys left on top of the cabinet and even passwords left on post-its stuck on PC's represent privacy and AML risks.

A recent US survey (reported in Computerworld) revealed that computer laptops are most often stolen at airports, along with hotels and parked cars.

"Some of the largest and medium-size U.S. airports report close to 637,000 laptops lost each year, according to a Ponemon Institute survey. Laptops are most commonly lost at security checkpoints, according to the survey.

Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65% of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-size airports, and 69% are not reclaimed. The institute conducted field surveys at 106 airports in 46 states and surveyed 864 business travelers....

The U.S. Federal Trade Commission recommends people treat laptops "like cash." Like a wad of money, a laptop in public view, such as in the back seat of a car or at the airport, could attract unwanted attention. The FTC also recommends using tracking devices such as Absolute Software Corp.'s LoJack, which can help track down a stolen laptop by reporting its location once it is connected to the Internet."

Print This Post Print This Post

Posted 13th July 2008 by David Jacobson in Risk management