New Australian Privacy Laws to Drive Need for Secure Software Development

Given the high-profile data breaches that have emerged in Australia over the last 2 months, it was unsurprising that the Australian government decided to review and reform their privacy laws to deter other large organisations from what they refer to as 'serious and repeated' privacy failings.

Despite concerns about undefined terms, the high profile nature of both Optus and Medibank meant the proposed changes to this law passed were signed off today and will result in fines of $AUD 50 million or more for offending organisations.

So what does this mean have to do with software security?

While privacy and security are not the same, they are closely related. It is impossible to keep data private without security - specifically those controls that protect the confidentiality and integrity of our data.

Our companies now run on software, 80% of our experiences with organisations and brands are now via online stores or platforms, and these systems store vast amounts of sensitive information about people worldwide.

For individuals (e.g. sole traders), partnerships and other unincorporated entities, the penalty will increase from the current maximum of $440,000 to $2.5 million"

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Interestingly, the choice to specify fine levels for sole traders and small businesses shifts this conversation dramatically from what was seen in the launch of GDPR. Making this explicitly for all businesses rather than just large enterprise means that change will be needed across hundreds of thousands or organisations.

To meet our rapidly increasing privacy obligations, it is crucial that our software systems are built with security and privacy in mind.

Privacy needs security

Specifically, this means:

• Designing our data models to only request and store that data which is needed.
• Building our applications to ensure that throughout the data's life in our systems - it remains protected from harm (whether that be malicious or unintentional).
• Ensuring that all systems and teams take steps to reduce the number of vulnerabilities they have, identify security issues quickly and respond to bad situations effectively.
• Reviewing the security of software that we use, purchase or commission to ensure that it meets a sufficient standard.

Too little too late?

In a perfect world, it wouldn't take serious breaches of personal information to ensure these changes start to happen in our software development processes. However, if the silver lining of a bad couple of months is improved clarity and prioritisation of data security then perhaps we can all benefit.

In the future however, let's aim for making improvements to our data privacy and security proactively rather than as a result of people being hurt.