A worrying number of Australian companies don’t comply with privacy laws or have secure websites

Australian businesses are struggling with contemporary privacy and data protection laws. Many still don’t appreciate (or are choosing to ignore) how Europe’s General Data Protection Regulation (which took effect on 25 May) may affect them. Further, four months after the introduction of mandatory breach disclosure law in Australia, a huge number of Australian businesses are not yet compliant with the Privacy Act or the Notifiable Data Breach Scheme.  

Even at the most basic level, Aussie businesses are neglecting to protect the privacy and personal information of their customers and other stakeholders.

Here are two examples drawn from an analysis of the Australian Financial Review’s list of the 100 fastest growing companies in 2017:

  • One-third (32%) of Australia’s fastest-growing companies do not have secure websites; and
  • Close to one-half (44%) of the companies do not appear to comply with Australia’s privacy laws.

The Fast 100 companies are relatively evenly split between small companies (revenue less than $10 million) and medium-size businesses (revenue between $10 million and $249 million). The smallest company listed turns over a little over $1.5 million.

What’s the hype about HTTPS?

Hyper Text Transfer Protocol Secure (HTTPS) is the secure protocol over which data is sent between a browser and a website. The security is achieved because HTTPS works with Transport Layer Security (TLS or SSL) which takes inbound or outbound data and encrypts it.

As a consumer, you’ll know when you’re on a secure website: you’ll most likely observe a padlock in the address bar.

Though HTTPS is not mandated by legislation or regulation, it performs four important functions:

  1. It protects the integrity (trustworthiness) of your website;
  2. It provides authentication so that visitors know your site is legitimate;
  3. It safeguards the privacy and confidentiality of visitors to your website;
  4. And it protects all data that is exchanged between your site visitors to your website.

Without HTTPS, website communications are at risk. The communications traffic moving between visitors and websites is vulnerable to attacks (such as Man-In-The-Middle) by malicious attackers or mischievous intruders. The personal information of visitors transacting on the website could be exploited; the business’ unprotected resources could be compromised; and all data transmissions could be intercepted.

HTTPS is not the future – it’s the now

The early adopters of HTTPS technology were financial institutions and online retailers that recognised the security imperative and the benefit of protecting their customers’ transactions. Enterprises in these sectors used HTTPS to visibly demonstrate that where data protection was concerned, they were going above and beyond.

Nearly 20 years on, HTTPS is no longer a point of difference — it’s a business fundamental. Even if your business is one of the few that doesn’t process sensitive information, many browser features and ‘progressive web apps’ will only function with HTTPS.

A point to note is that ‘online transactions’ do not have to involve payment; a transaction includes any exchange of information. If your website collects data — such as through a contact form, chatbot, lead magnet or careers page — it is engaging in online transactions.

Today, digital best practice dictates that every business in every industry should protect their website traffic and transactions with HTTPS.

Subsequently, HTTPS protocol is being applied to nearly 60% of the world’s most popular websites and 70% of all page loads.

Australian businesses are simply not managing and mitigating cyber risks.

Ignore privacy compliance at your peril

HTTPS is just one way a business can demonstrate its commitment to data security, though the absence of HTTPS can signal other measures might also be absent or inadequate.

Businesses that collect personal information and have an annual turnover of $3 million or more must comply with the Australian Privacy Principles. So too must all businesses in certain sectors, including healthcare.

Ninety percent of the companies listed in the Fast 100 exceed the $3 million revenue threshold; the other 10% will probably reach the threshold in the coming year.

Yet analysis indicates close to one-half (44%) of Australia’s fastest-growing companies may not be complying with Australia’s privacy laws: They have not published a privacy policy; they do not include a privacy notification wherever they collect personal information – most obviously, on their contact forms.

Of particular concern is that the greatest number of offending organisations appear to be in the most data-driven sectors — information technology and telecommunications, marketing and business services.

Learn from their mistakes

  1. Secure your website: If you are engaging in online transactions and your business — like one-third of Australia’s fastest growing companies — does not have HTTPS on its website, take corrective action. It’s not difficult or expensive to transfer your website to a secure protocol. Your internet services provider will be able to help you to organise and activate a certificate.
  2. Achieve privacy compliance: If your business, like half of Australia’s fastest-growing companies, is not privacy compliant, it could face a fine of up to $2.1 million.

Privacy compliance will require your business, at minimum, to:

  • Understand how it deals with (collects, uses, discloses and stores) personal information, and how it addresses complaints;
  • Develop a privacy notification and make it visible wherever personal information is collected;
  • Develop a privacy policy, and/or regularly update the existing policy to cater for changes in your business processes and to comply with changing legal requirements;
  • Document internal processes, procedures and systems in a privacy manual;
  • Ensure that you have internal controls that support the statements made in the published privacy policy — you must do what you say you do;
  • Ensure that you are able to report breaches as required by the Notifiable Data Breach Scheme;
  • And train key staff and appoint a privacy officer.

Ignorance is neither a defence nor a safeguard against the potentially catastrophic reputational damage that would be caused by a privacy or security breach.

If you have any queries, please feel free to contact:

Helaine Leggat
Principal
Sladen Legal
T +61 3 9611 0150  l M +61 439 466 821
Level 5, 707 Collins Street, Melbourne, 3008, Victoria, Australia
E: hleggat@sladen.com.au