In September, the Federal Government introduced its Privacy Act Reform Bill. Whilst it didn’t come with as much bite as many had hoped for, there are critical changes within the bill that all organisations, including retailers, need to be aware of to ensure they don’t run afoul of the new laws.
Inclusions of particular note in the first tranche of changes include a requirement for transparency of the use of automated decision-making, the notion that adequate security measures must include technical and organisational measures, the bolstering of privacy enforcement powers, the creation of a new Children’s Online Privacy Code within two years, and a new statutory tort allowing consumer to sue organisations for serious invasions of privacy.
A number of the more ambitious changes including a right to erasure and ending a carve-out for small businesses will be delayed until at least 2025. However, this is not a reason for retailers to pause efforts to improve their privacy practices. Instead, retailers would do well to look ahead and future-proof themselves to better protect their customers and their own brands. For many, this still means starting with the basics.
Why retailers need to up their privacy game
According to the OAIC, retailers are the 5th most frequent notifiers of a data breach in Australia. It makes sense, given retailers are required to secure copious amounts of sensitive data across thousands of disparate devices and systems, whilst employing a large casual workforce who may not be particularly knowledgeable in data privacy processes.
With these recent and upcoming privacy reforms, it is becoming even more critical for retailers to have visibility across all devices in order to understand where sensitive data resides across their networks. The potential penalties mean that having the ability to find customer data across all computers, in real-time, regardless of whether they are in a data centre, POS system, or the laptop of an employee working from home, should be front of mind for organisations.
This becomes especially important with the upcoming ‘right to erasure’ reform which will mean customer data will need to be removed from any device it resides on at the customer’s request. For this reason, having visibility across every device on the network is a key foundational starting point.
Finding sensitive data in real-time
Imagine a member of a retail customer support team is working on a file saved in a secure centralised server which contains a customer’s personally identifiable information. The file is responding slowly, so they decide to copy the file to their laptop to work on it and forget to delete it once they’re done. It might seem harmless, but that information is now exceedingly difficult to secure, particularly once it leaves the organisation’s core network.
Frequent occurrences like this are what make finding sensitive information stored across a retailer’s network so hard, let alone securing it.
The first step to solving this problem is to identify all the endpoints on your organisation’s network to allow for real-time monitoring. This is the most fundamental step because you can’t protect what you can’t see in that moment. An endpoint could be clear of any personally identifiable customer data one day and riddled with it the next.
The next step is to find the right sensitive data monitoring tool. These can take two approaches. One is network-based. This is when centralised software reaches out from a server to scan all network devices for sensitive data. This method is slow as it uses a lot of network bandwidth and it leaves gaps because it can only scan devices currently online across the network. Think about how many employee laptops are off the corporate network at any given time.
Instead, organisations should be switching to agent-based monitoring tools. These tools install a software package, or ‘agent’, on every endpoint. Each agent indexes and inventories relevant data on the device and makes it available to query in real-time no matter where they physically reside. This means devices can be scanned even if they’re outside the organisation’s network. Agent-based monitoring tools are also lighter weight, helping to ease the burden on the network.
With real-time visibility over all endpoints, retailers can be confident they can find sensitive customer data and delete or secure it accordingly. The message to retailers is simple. Don’t wait for regulation to improve your organisation’s privacy tools and processes. Whether it’s legislated or not, customers now demand more of the brands they shop. With threats increasing every day, it’s more important than ever to make sure organisations can detect and protect their customers’ data in real-time.
James Greenwood is regional vice president, technical account management at Tanium.