Share:
The Australian data security landscape has profoundly changed. On February 22, 2018 the Australian government's Notifiable Data Breaches (NDB) scheme came into effect, requiring all organisations to report NDBs to those individuals affected.
It's a crucial step for Australian cyber security, but it's one that means organisations all over the country will need to completely revamp their relevant strategies and policies.
You share your personal info with various organisations. If your personal info is hacked, stolen, or lost by an organisation covered by the Privacy Act 1988 & you are at a likely risk of serious harm, they must tell you — starting 22 February: https://t.co/z6vANXKGmD #privacy pic.twitter.com/Dl5siEcnZd
— OAIC (@OAICgov) February 19, 2018
The Office of the Australian Information Commissioner (OAIC) is an independent Government agency, that is responsible for administering the principles of the Privacy Act 1988.
As the OAIC notes, the NDB scheme directs organisations covered under the Privacy Act 1988 "to notify any individuals likely to be at risk of serious harm by a data breach". They must also inform the OAIC as soon as possible.
The scheme aims to improve corporate transparency around data breaches and to foster "consumer and community confidence" in the large data networks that hold personal information. It also enables individuals to minimise the damage caused by a data breach as quickly as possible.
There has been some debate about this, with a recent PricewaterhouseCoopers paper debating the strength of 'serious harm', and noting that it could be open to interpretation or argument. However, the OAIC notes that an NDB will likely include:
The Equifax breach of 2017 is a prime example of this at a high level, while at a small scale an NDB could be as simple as sending a small business' financial information to the wrong email.
All organisations covered by the Australian Privacy Act must comply with the Notifiable Data Breaches scheme. The following are examples of those who will have an obligation to notify any data breaches:
Ideally, organisations subject to a data breach should notify affected individuals directly, as well as presenting a statement to the OAIC. If the organisation cannot get in touch with all individuals, they can reach out to only those at risk of serious harm. If the organisation cannot inform any individuals, they must publish the OAIC statement on their website and take all reasonable steps to let impacted parties know about this.
Notifications should include a description of the breach and the type of information at risk, as well as the organisation's own contact details and steps individuals should take to mitigate the risks of the breach.
This can be more difficult. If an organisation knows with certainty that a Notifiable Data Breach has occurred, it must take the above steps as quickly as possible. However, in many cases a business will simply suspect a data breach has taken place, without concrete evidence of it or its impact.
In these cases, the OAIC requires operators to take all reasonable assessment steps within 30 calendar days of first becoming aware of the potential for a breach. This should be a "reasonable and expeditious" assessment, have a risk-based approach, and remain in line with the business' own data breach response planning.
If your business will be impacted by this change, it is important to conduct a rigorous assessment of your data security. Everything from individual security protocols and education to the strength and number of your firewalls should be analysed, weak points addressed and fail-safes for identifying and reporting breaches established.
To get you started our white paper, 6 Steps to Improve your Business Cyber Security, is a great resource with tips you can put into action immediately to help protect your business and avoid data breaches. You can download it here.
For a more comprehensive look at your company's security policies, our experts can work with you to evaluate your current data security provisions and find ways to improve them. Let us help you today.
