The Australian data security landscape has profoundly changed. On February 22, 2018 the Australian government’s Notifiable Data Breaches (NDB) scheme came into effect, requiring all organisations to report NDBs to those individuals affected.
It’s a crucial step for Australian cyber security, but it’s one that
means organisations all over the country will need to completely revamp
their relevant strategies and policies.
How does the Notifiable Data Breaches scheme work?
The Office of the Australian Information Commissioner (OAIC) is an independent Government agency, that is responsible for administering the principles of the Privacy Act 1988.
As the OAIC notes, the NDB scheme directs organisations covered under the Privacy Act 1988 “to notify any individuals likely to be at risk of serious harm by a data breach”. They must also inform the OAIC as soon as possible.
The scheme aims to improve corporate transparency around data breaches and to foster “consumer and community confidence” in the large data networks that hold personal information. It also enables individuals to minimise the damage caused by a data breach as quickly as possible.
What qualifies as a Notifiable Data Breach?
There has been some debate about this, with a recent PricewaterhouseCoopers paper debating the strength of ‘serious harm’, and noting that it could be open to interpretation or argument. However, the OAIC notes that an NDB will likely include:
- Theft or loss of a device containing personal information.
- Hacking of central databases that hold personal information.
- Accidental or malicious disclosure of personal information.
The Equifax breach of 2017 is a prime example of this at a high level, while at a small scale an NDB could be as simple as sending a small business’ financial information to the wrong email.
Who must comply with the Notifiable Data Breaches Scheme?
All organisations covered by the Australian Privacy Act must comply with the Notifiable Data Breaches scheme. The following are examples of those who will have an obligation to notify any data breaches:
- Businesses and not-for-profit organisations with an annual turnover of greater than $3,000,000.
- Federal government bodies and private health organisations.
- Small business operators: Those with turnover of under $3 million who provide health services, trade personal information, report on credit, or are related to an APP entity.
- Credit reporting bodies: Including those with turnover of more than $3 million.
- Credit providers.
- Tax File Number (TFN) recipients.
How can organisations notify individuals?
Ideally, organisations subject to a data breach should notify affected individuals directly, as well as presenting a statement to the OAIC. If the organisation cannot get in touch with all individuals, they can reach out to only those at risk of serious harm. If the organisation cannot inform any individuals, they must publish the OAIC statement on their website and take all reasonable steps to let impacted parties know about this.
Notifications should include a description of the breach and the type
of information at risk, as well as the organisation’s own contact
details and steps individuals should take to mitigate the risks of the
breach.
How can businesses identify Notifiable Data Breaches?
This can be more difficult. If an organisation knows with certainty that a Notifiable Data Breach has occurred, it must take the above steps as quickly as possible. However, in many cases a business will simply suspect a data breach has taken place, without concrete evidence of it or its impact.
In these cases, the OAIC requires operators to take all reasonable
assessment steps within 30 calendar days of first becoming aware of the
potential for a breach. This should be a “reasonable and expeditious”
assessment, have a risk-based approach, and remain in line with the
business’ own data breach response planning.
What can businesses do to be prepared?
If your business will be impacted by this change, it is important to conduct a rigorous assessment of your data security. Everything from individual security protocols and education to the strength and number of your firewalls should be analysed, weak points addressed and fail-safes for identifying and reporting breaches established.
To get you started our white paper, 6 Steps to Improve your Business Cyber Security, is a great resource with tips you can put into action immediately to help protect your business and avoid data breaches. You can download it here.
For a more comprehensive look at your company’s security policies, our experts can work with you to evaluate your current data security provisions and find ways to improve them. Let us help you today.