Smaller resellers on the other hand are looking at means of remaining profitable in a growingly dense market, and do not have the time or inclination to invest heavily in compliance if it can be avoided, according to Frew.
"The response to the Privacy Act is kind of like widening the digital divide, so to speak," IBRS advisor, James Turner, said. "Organisations that have a high degree of risk maturity - those that have good governance processes in place - have projects in the final stages. "For the ones that are not getting active, it has got to be a bit of complacency."
Turner warns those businesses that are not yet proactive that the brand damage incurred as a result of a breach could be far more lethal than the dollar penalty handed down by the Commissioner. While he maintains any breach is the attacker's fault, Turner said "waiting three years" (figuratively) to resolve sny non-compliance is unacceptable. Proof of preventative measures could be the difference between recovery and plunder.
"Can a small organisation recover? Yes, but everything depends on what an organisation did before and after the breach. If it has taken reasonable steps beforehand and is being communicative afterwards in terms of how it engages with stakeholders, it is recoverable, but will still take something," he said.
Turner forecasts breaches from both within and outside the IT industry, and said an interesting discussion point is how organisations will deal with an employee who makes a mistake that puts the business in breach of the Act. "What disciplinary measures will be put in place? You cannot just fire somebody because they will come back and say they did not receive training."
The level of adaptation to attain compliance with the Act's amendments relies on the business itself. Service management provider, Dark Horse Systems, does not capture personal information of individuals, but handles that of its company clients. Adjusting to the change did not take much, according to director, Elie O'Han.
"It wasn't a big issue. One of our senior staff attended a project management course and we applied what was said to our business," O'Han said. "We made a few minor adjustments.
"We had to make sure we had the SSL certificates in place, and ensure that any parts of our systems where we had access to credit card information for customers' accounts were protected, and that's primarily in the Cloud services we provide."
Although Dark Horse Systems claims no complications, businesses which continue to be most vulnerable are those with the highest value personal information and the weakest set of controls securing that data, as Missing Link security manager, Aaron Bailey, said earlier this year.
Sign up for CIO Asia eNewsletters.