An amendment to the Australian Privacy act was passed by the Senate in February 2017 which established a Notifiable Data Breaches (NDB) scheme in Australia which will commence on 22nd February 2018. The NDB will require all organisations currently covered under Australian Privacy Act to advise individuals if their data has been breached and may result in loss or damage. In addition, organisations will need to provide affected individuals with recommendations they need to take to protect from further damage.
The first obvious effect on organisations is the importance of confirming a data breach, its seriousness and implications to individuals involved. This means organisations will need to be ready to conduct regular ongoing assessments to ensure breaches are detected in a timely manner so they can remain compliant under the legislation.
This legislation ushers in the era of data protection where organisations who have not already done so, will need to ensure that they strengthen their security posture to ensure personal information is protected. The transparency afforded to end users through the introduction of the Notifiable Data Breach scheme will in turn reward organisations with strong security protocols and provide competitive advantage over those who don't.
What would be considered a Notifiable Breach?
Data breaches which occur and can result in damage or harm to an individual due to the lost data would be considered a Notifiable Data Breach. This would include any unauthorised access to data, unauthorised disclosure or information being held by the organisation being lost.
Instances of data breaches can include (but not limited to) -
- Unauthorised access to a database containing sensitive information on an individual
- Loss or theft of equipment containing data on individuals
- Unintended sharing of data to unauthorised individuals
Is your Business Ready for NDB?
The simplest way to ascertain whether your organisation will be affected is to find out if it is covered by the Australian Privacy Act. If it is, then it will also fall under the NDB scheme. If your organisation falls under the scheme, it's certainly time to have internal conversations around what this means to your organisation and who needs to be involved.
Here is a security checklist to get you started -
- Your first step should involve performing a data review -
- do you know where your sensitive data is stored?
- do you know who internally has access to this data?
- do you know who externally has access to this data?
- do you know which applications access this data and does this application have any vulnerabilities?
- Prepare a breach response plan -
- what are the processes which need to be followed internally?
- contain the breach and assess the extent of the breach
- assess the risk associated with the breach
- clear responsibilities of the response team and who they are
- provide a clear and articulate action plan you expect the response team to follow in the event of a breach
- determine whether notification is needed - the new notification laws prescribe that if a data breach creates a real risk of serious harm to the individual, the affected individuals need to be notified.
- remediate vulnerability to ensure no further data loss occurs
- Review your current monitoring and controls -
- do you have the correct monitoring and controls based on the data you store?
- are you currently following best practices?
- Complete an Information Security Risk Assessment to establish your baseline security posture
- continue to perform regular security assessments of your information security controls
- periodic penetration tests will identify new threats and vulnerabilities to your information systems
- regular assessments will improve your security posture over time and provide assurances that appropriate controls and procedures are in place
How Do You Notify of A Breach?
If you have ascertained that the breach falls under the NDB scheme, you will need to advise all affected individual as well as the Office of the Australian Information Commissioner (OAIC). The notification must cover the following points -
- Your organisation details as well appropriate contact details
- An outline of the breach that has occurred
- The type of information lost
- Steps individuals need to take to protect themselves from further harm as a direct result from the data loss
As with everything in life, prevention is always better than cure. With that in mind, if you have not already started your security preparation, it is imperative that you get moving! If you need any assistance in preparing to meet your obligations are under the new legislation or would like assistance in fortifying your security posture, just reach out, we are here to help.