Why the notifiable data breach scheme should be the ‘notification of archaic systems and processes’
- 08 June, 2018 00:00
There has been a lot of talk in recent months about the government's new notifiable data breach (NDB) legislation. The legislation requires organisations that suffer a data breach that may cause serious harm to individuals to alert the Office of the Australian Information Commissioner (OAIC). They must also let each and every one of their affected customers know that their confidential data was breached.
Imagine if, rather than notifying a data breach, an organisation had to publicly notify its customers that it was running a multimillion-dollar business on a non-sustainable budget using antiquated systems and processes, from outdated technology to human intervention.
There is a much broader issue at play than just a data breach notification. The NDB addresses the effect of having inadequate or antiquated IT systems, policies, and procedures in place. A data breach is just one of the many issues this can cause.
The bigger challenge is that many systems, particularly in Australia, are simply not good enough to support the modern world.
Organisations may blame naivety, ignorance, or budgetary constraints for not modernising their IT, but the reality is that these organisations are simply not fulfilling their corporate social responsibility. They’re exposing their customers and the general public to risk of harm, expense, and inconvenience. This is not a sustainable business model and it needs to change.
On top of all of this there are flow-on effects to the organisation if a breach occurs. Chiefly, the downtime associated with a breach can cost businesses millions. Downtime means inconveniences for customers, in turn damaging the organisation’s brand. If customers can’t access products and services, they will turn to competitors. The impact of a breach to the business therefore goes far beyond the notification aspect of the new laws.
The NDB scheme is focused on reporting data breaches. However, the new laws can be an opportunity for organisations to:
• invest in a security audit to validate whether their systems and processes are robust before they have a costly breach or downtime
• eliminate human intervention as much as reasonably possible, particularly when it comes to client data. Automation and cloud technologies are cost effective today, letting organisations eliminate human error and focus on their core business
• ensure there are contingency plans in place. Businesses should invest in a multi-layered security platform and put business continuity and disaster recovery solutions and plans in place so that, when the worst case happens, the potential harm to employees, the business reputation, and customers, as well as downtime, can be minimised.
Don’t be the organisation that thinks it’s not susceptible to a breach. By being proactive and mitigating the risks, businesses can protect their customers and their brand.
James Bergl is a CompTIA ANZ Channel Community executive council member and director of sales, APAC, at Datto Inc.