In February of this year, the Notifiable Data Breaches (NDB) legislation was passed, with the new regime coming into effect on 22 February 2018. This means businesses need to start preparing now to comply with this amendment to the Privacy Act.
The NDB scheme requires businesses to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals if the company experiences any unauthorised access, disclosure, or loss of personal information, if a reasonable person would conclude that this access, disclosure, or loss would be likely to result in serious harm.
The act makes it clear that serious harm isn’t necessarily only related to financial losses but could also include the public disclosure of private information such as a medical condition, for example.
Last month, cyber security leaders from major Australian organisations gathered in Sydney for an executive roundtable discussion on the mandatory NDB scheme.
The event was moderated by Tony Heywood, vice president, AGC Networks, and contributors included Sean Duca, vice president and chief security officer, Asia Pacific, Palo Alto Networks, and Patrick Gunning, partner, King & Wood Mallesons. Attendees from businesses in the education, banking and finance, insurance, and manufacturing sectors discussed the scheme and how it may affect businesses.
It became clear that, despite best intentions, most organisations aren’t sure how the legislation will affect them, so they aren’t sure how to prepare for it. While most Australian organisations are aware of the need to protect personal information, there is a sense that cyber crime isn’t a significant issue in Australia. However, this couldn’t be further from the truth and no business is exempt from hacking attempts. Therefore, businesses must focus prevention as well as on how to deal with a breach once it’s happened.
Many cyber criminals are content with stealing small pieces of information about a person from different sources so they can build a mosaic of that person’s identity. This sort of identity theft can be lucrative for the criminals and distressing for the victim. The data breach notification scheme aims to help those people regain some control over their personal information sooner rather than later.
Many businesses already voluntarily disclose cyber security breaches to customers as a natural extension of their trust-based relationship with customers. Banks, for example, are more likely to let customers know if their data has been compromised, preserving the customer’s faith that the bank will protect their details.
Some businesses have expressed a concern that admitting to a security breach could make it easier for customers to launch a class action lawsuit, as the notification could be seen as an admission of guilt. This is less likely to be an issue in Australia, where class action laws are less favourable to plaintiffs than in litigious countries such as the United States.
Most organisations agreed that disclosing the breach is just good business practice. However, the details and logistics of how to do so aren’t necessarily clear.
Preparing for the mandatory NDB scheme is closely tied to a company’s overarching cyber security strategy. While it’s important to have notification processes in place and to clearly understand the requirements under the law, businesses should focus their resources on preventing attacks from happening altogether.
In practice, this should include sharing information about breaches in the industry, and putting in place the right tools, processes, and people to prevent or detect and remediate breaches before the criminals can do any real harm.
Given the extremely high likelihood that most businesses will be attacked at some point, it’s also essential to understand how the organisation will respond in case of an incident. Some businesses practice, putting together teams to respond to attacks and rehearsing in real-life scenarios. It’s important to understand who in the company has ultimate responsibility for security, including a chain of succession if key people aren’t available.
When it comes to preparing for the mandatory NDB scheme, there are six key points to be aware of:
1. The scheme only covers personal information, not business-related information.
2. ‘Serious harm’ doesn’t have to be financial; it can also be emotional.
3. Building trust with customers is essential, so notification serves a greater business purpose regardless of legislation.
4. Cyber security is a business risk, not an IT risk, and leadership must come from the top.
5. Working with third parties and supply chain partners introduces new risks, so due diligence must be conducted and businesses must agree who would be responsible for reporting a breach.
6. Ignorance of a breach is no defence: the legislation requires that companies monitor the effectiveness of security measures and report breaches within 14 days.
Tony Heywood is vice president, Australia, AGC Networks.
Read more: Hacking costs hit Equifax