Everything Your Organisation Needs to Know About the Mandatory Data Breach Notification
Data breaches are affecting businesses the world over, and Australia is no exception.
In fact, there were more data breaches in Australia during the first half of 2016 (22 total) than anywhere else in the Asia-Pacific region. India was next at 13, while Japan and New Zealand both had 7.
And these incidents are having some far-reaching consequences. A single breach in 2017 alone impacted nearly 50,000 Australians working at government agencies.
With the threat level increasing every day and cyber attackers becoming increasingly sophisticated, drastic measures had to be taken.
As a result, the Mandatory data breach notification (MDBN) will be going into effect on February 22, 2018.
This is a significant amendment to the Privacy Act 1988, which governs how personal information is collected and stored. Although the Privacy Act 1988 has been fairly effective for regulating data over the years, some would argue that it has become antiquated and isn’t robust enough to mitigate the threats that consumers and employees currently face today.
The MDBN serves as a means of beefing up regulations and providing individuals with a heightened level of protection that’s necessary in the late twenty-teens and beyond.
Under this new bill, organisations are required to notify individuals whose personal information is involved in a data breach and who are likely to incur serious harm, as well as the Office of the Australian Information Commissioner (OAIC).
According to the OAIC, there are three specific criteria that warrant notification:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity (an organisation) holds.
- This is likely to result in serious harm to one or more individuals.
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
These types of serious incidents are referred to as “eligible data breaches” and require an organisation to act swiftly. It should also be noted that along with notifying individuals, a company must also provide them with recommended steps for remediation.
In some cases for more minor incidents, notification may not be required. You can learn more about how to identify eligible data breaches via this resource from the OAIC.
Assessing a Suspected Data Breach
If an eligible data breach is suspected, an organisation has a maximum of 30 calendar days to assess it. This involves an investigation of the incident to gather as much information as possible.
For instance, a company would want to find out what type of information may have been compromised, which unintended third-parties may have access to it and which individuals are likely to be impacted.
From there, a decision must be made as quickly as possible as to whether or not the incident is in fact an eligible data breach. If so, a company must follow proper protocol.
Businesses are also urged to do everything possible to minimise the damage and reduce the potential harm that could be inflicted upon individuals. The OAIC points out that if the remedial action taken successfully prevents harm to affected individuals then notification isn’t required.
It should also be noted that although 30 days is the current deadline, this could easily change in the future. After all, a similar law called the General Data Protection Regulation (GDPR) which governs businesses within the European Union gives organisations a mere 72 hours to investigate and notify.
Failure to comply with the MDBN comes with some stiff penalties. Organisations can face fines up to $1.8 million (AUD), and individuals can face fines up to $260,000 (AUD).
That’s no small sum, and the financial backlash can be a major blow. In some cases, it could even force a company to close its doors forever.
Is My Company Affected?
Determining whether or not you’re affected is pretty straightforward. If your company already has obligations under the Privacy Act 1988, you must comply with the MDBN.
The OAIC elucidates and states that this applies to:
- Australian government agencies
- Businesses with an annual turnover of $3 million (AUD) or more
- Credit reporting bodies
- Health service providers
- Tax file number (TFN) recipients
In other words, it applies to a large number of companies, and there’s a good chance that it applies to you. If you’re still unsure, you can learn more on this resource.
Preparing Your Organisation
With the MDBN just around the corner, it’s essential that your company does everything within its power to properly prepare. Remember that prevention is always better than cure. So the more proactive you are, the better.
A good way to start is to analyse your data.
- How do you collect your data?
- How do you decide which data to store?
- Are you storing data that isn’t truly necessary?
- Where is it stored?
- For how long?
- Who has access to your data?
- What security procedures are currently implemented to protect it?
Answering these questions should provide you with a snapshot of your overarching data collection, storage and security process.
After making this assessment, you’ll want to identify any potential issues that could leave you vulnerable to a data breach. For example, maybe you’re too lax about the number of individuals within your organisation who have access to sensitive information.
Having too many admin accounts can potentially jeopardise security, so you may want to reduce that number and allow only the most trusted individuals within your organisation to have access.
This is a process where registered testers attempt to gain access to your company’s data. The idea of penetration testing is to identify flaws before actual cyber criminals are able to. That way fixes can be made, which greatly reduces the odds of your organisation being hit with a major data breach.
Some specific areas that can be tested include the following:
- Web applications
- Mobile applications
- Network and infrastructure
- Supervisory control and data acquisition (SCADA)
If you’ve never had penetration testing performed before, now is a great time to do so.
Upgrading Security Controls
Odds are you’re already devoting a considerable amount of your IT budget to cybersecurity. But with the stakes being so high, you may want to consider upgrading your security controls.
This is especially important if you’re in a high-risk industry such as healthcare, financial services or manufacturing.
But which tools and technologies should you focus on?
A study by the SANS Institute outlines IT security spending trends and shows which technologies companies are spending the most on. Here’s how it breaks down:
- Access and authentication
- Advanced malware protection
- Endpoint security
- Wireless security
- Data protection/encryption
- Continuous monitoring
- Log management
- Network traffic visibility
- Vulnerability management
- BYOD security
While this isn’t to say that you should prioritse IT spending in the exact same order, it provides some nice perspective on what companies find most important.
Did you know that employee negligence is the root cause for roughly 80 percent of all data breaches? It’s true.
Often your biggest liability is simply an employee who doesn’t fully grasp cybersecurity best practices and is ill-prepared to handle threats that come their way.
At the end of the day, cybersecurity is everyone’s responsibility, and it shouldn’t fall in the hands of just a few select individuals in your IT department. Rather it’s wise to get your whole team in on it and provide at least some level of employee training.
Some key areas to cover include:
- How to identify phishing attacks
- Which information can and cannot be shared through email, social media, etc.
- How to spot potentially dangerous links and files
- Securing mobile devices
- How to create strong passwords
Developing an Incident Response Plan
Even though preventative steps like these can go a long way, there’s still never a guarantee that they will protect you 100 percent of the time. Unfortunately, there’s no magic bullet.
That’s why an incident response plan is in order. Some things to address include:
- Identifying potential cyber attack scenarios
- Defining the chain of communication that will take place in the event of a suspected data breach
- Identifying specific actions each individual is responsible for taking
- Defining steps to take in order to contain the attack
- Analysing network traffic to determine the origin of a breach
You can find much more on this topic and even download an incident response plan template on this resource.
Are You Ready?
The MDBN will go into effect shortly, which doesn’t leave you with a lot of time. So getting your business up to speed should be a top priority.
Start by getting familiar with the details of this law. Be sure that you know what constitutes as an eligible data breach and how to assess an incident. From there, you’ll want to follow the steps mentioned above to mitigate your risk but also be capable of swiftly responding in the event that an incident does occur.
As long as you’ve got that covered, you should be in good shape and can run your business with confidence.
How prepared do you feel your company is for this upcoming law? Please share your thoughts: