Are You Ready for 2018’s Mandatory Data Breach Notification Laws?
Just like in much of the world, Australia has felt the sting from data breaches.
A single breach in 2017 resulted in the sensitive information of nearly 50,000 Australians and 5,000 federal public servants being leaked.
And this is unfortunately a trend that shows no sign of slowing down. In fact, more than 5.1 million records are stolen globally every single day. That’s 59 records a second.
So it should come as no surprise that serious action has been taken to get this problem under control and has led to the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, which is otherwise known as the NDB scheme.
According to Data Privacy Monitor, the Australian Senate passed a bill on February 13, 2017 that established a mandatory requirement to notify the Privacy Commissioner along with affected individuals of “eligible” data breaches.
This pertains to any type of data breach that has the potential to bring about serious harm to the individuals involved.
Mondaq offers further clarification on the term “serious harm” and states that it can include serious physical, psychological, emotional, economic and financial harm. They also point out that it can relate to serious harm being done to a person’s reputation.
In these types of cases, affected individuals must be notified in a timely manner.
Here are some examples:
- A cyber criminal gains unauthorised entry to your organisation’s database, which contains sensitive customer information
- A device that stores sensitive customer information is either lost or stolen
- Someone within your company accidentally provides the wrong person with sensitive information
But it’s important to note that notification isn’t required in all cases. If a data breach is quickly remediated so that it’s not likely to result in serious harm, notification won’t usually be necessary.
The NDB scheme will officially go into effect on February 22, 2018 and only applies to data breaches that occur on or after that date. In other words, this wouldn’t apply to a data breach that happened prior to February 22, 2018.
Data Privacy Monitor also provides specifics into the penalties that can arise from failure to notify affected parties. They state that individuals can be fined anywhere up to $360,000 ($274,560 USD) and organisations can be fined up to $1.8 million AU ($1.37 million USD).
With steep fines, this new law definitely isn’t something to take lightly. Even one offence could have a crippling effect on a company and even put it out of business.
This shows just how serious the Australian government is about improving cyber security and cracking down on data breaches.
Who Does it Apply To?
It’s simple. It applies to any business, Australian Government agency or other organisation that’s required to keep information secure by the Privacy Act 1988.
This new law is an amendment to the original Australian law. So if your company was required to comply with the Privacy Act 1988, it’s required to comply with the NDB scheme.
What’s the Overarching Purpose?
Due to the widespread prevalence of data breaches both in Australia as well as globally, the NDB scheme is designed to increase protection levels across the board and keep sensitive information more secure.
It’s the responsibility of organisations to ensure that their customers’ information is kept safe and that they do everything possible to prevent a breach from happening.
With that being said, it’s inevitable that data breaches will continue to persist. But the NDB scheme provides a framework that requires businesses to respond swiftly and with maximum transparency in order to mitigate the damage.
This ultimately gives consumers more confidence and peace of mind knowing that their personal information is being safeguarded and that they’ll have a heads up in the event that their information is compromised.
How to Prepare
If this new law impacts your company, you’ll need to ensure that you’re properly prepared once February 22, 2018 rolls around.
This typically starts with reviewing the current set of policies, practices and procedures your company uses to secure your customers’ personal information. You’ll want to make sure that you’re taking serious measures to keep this information safe and reduce the likelihood that it’s ever mishandled.
If you feel that your current policies, practices and procedures are inadequate for protecting sensitive information, you’ll need to make the necessary updates.
Note that 80 percent of all data breaches are linked to some type of employee negligence. This means that you can prevent many would-be breaches by simply educating your staff on cyber security best practices.
Some examples includes:
- Instructing them on how to create strong passwords and ensuring that they routinely change those passwords
- Helping them understand how to identify phishing attempts
- Setting limits on the types of information they can share through email and on social media
- Establishing a series of steps to follow if they feel that information has been compromised
Being proactive about cyber security is essential and often your best line of defence, so the more energy you put into employee education, the lower your risk level should be.
Another big part of being proactive is to perform routine penetration testing. This practice involves a team of experienced testers attempting to ethically hack into your organisation’s data assets. There are several different types of penetration testing including:
- Web application
- Mobile application
- Network and infrastructure
It’s an effective way to identify flaws/vulnerabilities and ultimately provides you with actionable recommendations on what you can do to fix them. The reports that are generated will help you address key issues before actual cyber criminals do, which is integral for protecting your data.
Understanding the Information Lifecycle
It’s also important to understand the do’s and don’ts of the information lifecycle.
As the Office of the Australian Information Commissioner (OAIC) explains, keeping information safe largely revolves around protecting it throughout the various stages of the information lifecycle.
They break it down into five specific stages, which include the following:
- Deciding whether or not it’s truly necessary to collect and store sensitive information to perform a task or carry out a function
- Determining how sensitive information will be handled
- Identifying the risks that are involved with collecting this information
- Taking the necessary steps and implementing strategies in order to safeguard the information that you retain
- Destroying sensitive information once it’s no longer needed
Adhering to these five stages and creating a security-minded culture are some of the best things you can do to minimise the threat of a data breach and prevent information from falling into the wrong hands.
For more on securing personal information, check out this resource from the OAIC.
The Notification Process
Let’s say that it’s a worst-case scenario and there’s been a data breach that’s likely to result in serious harm to your customers. You need to ensure that you’re following proper protocol when notifying them as well as providing a statement to the Privacy Commissioner.
The notification must include the following information:
- The name and contact information of your organisation
- A description of the nature of the data breach
- The specific type of information that may have been compromised
- Recommendations and/or steps that should be taken in response to the incident
In terms of timing, relevant individuals should be notified as quickly as possible. The sooner they become aware of the incident, the better odds they have of reconciling the problem.
The OAIC also points out that there is some flexibility when it comes to notifying affected individuals and there are three different options, which include:
- Notifying all individuals – This includes everyone whose personal information was part of the data breach, which often makes sense if you’re unable to determine which specific individuals are at serious risk.
- Notifying only individuals who are at risk of serious harm – The benefits of this option are that it can potentially save your company time and money as well as reduce the anxiety of individuals who aren’t actually at risk.
- Publish notification – This involves publicising the details of the data breach online.
Check out this resource to learn more about notification details and to determine what the best option would be for your company.
Making Sure You’re Ready
With data breaches and other cyber security threats on the rise, Australia is taking serious measures to protect the personal information of consumers. The NDB scheme represents a major step toward regulating this area more effectively and creating a standard that all organisations must meet.
With this law’s commencement just around the corner, it’s incredibly important that your business takes all of the necessary steps to prepare.
By doing so, you can minimise the chance of a serious data breach occurring and protect your data assets. Even in a worst case scenario where it does actually happen, you’ll know how to swiftly respond so that you can better protect your customers and avoid costly penalties.
Has your company ever experienced a data breach of any kind? Please share your story below: