May 10, 2018

Preparing For The Notifiable Data Breaches Scheme

Source publication: ARN – Click to view on source website

Information Assurance in Australia has always been important to those with ownership of critical data, but as each day passes, it becomes more complex. Virtually all organisations maintain an online presence that contains a wealth of information about the people they interact with. This data is a priceless asset to those who own and use it, and the responsibility for its security cannot be taken lightly.

On February 22, 2018, the Notifiable Data Breaches (NDB) Scheme came into effect after the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 last year. This will impact Australian Government agencies, for-profit and not-for-profit organisations, with an annual turnover of $3 Million or more, credit reporting bodies, health service providers, and Tax File Number (TFN) recipients. These categories are not silos and many organisations find they are two or more of these types.

The NDB Scheme will apply to breaches occurring on or after February 22, 2018, but not before. Since there are several exceptions, such as some small businesses, registered political parties, state or territory authorities and state-based organisations, there is room for improvement. When it comes to safeguarding the personally identifiable information of individuals and the risk to them personally, organisations bear responsibility, whether eligible or not under the NDB Scheme.

For the most part, customers are aware of the new requirements, but are not yet fully aware of how it impacts them specifically. They must first determine if they’re obligated under the NDB Scheme, depending on the size and type of organisation they are, or if they’re in an excepted group. Customers must also understand what constitutes a breach and if it’s eligible for notification by objectively deciding if serious harm is likely. When a breach meets the criteria for notification, the individuals whose information has been breached and the Office of the Australian Information Commissioner must be notified.

While many customers have been actively preparing for the NDB Scheme to come into effect, there is effort that remains. We have been engaging with customers to ensure they understand their obligations, prepare for the scheme, and improve their security posture. An important step in readiness is possessing the capability to reasonably ascertain that a breach may have occurred. Many organisations have inadequate visibility over their data transactions and insufficient resources, including people, technology, and budget. This could mean a breach occurred unbeknownst to the business.

Without doubt, the introduction of the NDB Scheme will trigger an increase in information assurance investments including hardware, software, and consulting services. Growth has already been occurring across the cybersecurity industry and will further increase as customers bolster their defences, operational readiness, and incident response capabilities. The ability to determine if a breach has occurred through technical controls and to take remedial action must be a budgetary consideration for eligible entities. Even if exempt, all organisations should consider their customer obligations.

Some challenges facing our customers today include an outdated mindset that security is exclusively an IT problem and not a problem for the business. Information assurance conversations must be about risks and business impacts; not just technology. All employees of an organisation must understand they bear responsibility in safeguarding the businesses data, and with the rise of mobile and cloud computing, the traditional workspace extends the office to the home and public spaces. Limited resources, human, technical, and budget, means customers may be trying to do their best, but may need assistance to improve.

Our Security Practice leads with an assessment-based approach to help customers first understand their present security posture, which will enable informed decision-making. By using both a shorter-term tactical approach and a longer-term strategic vision, we work with customers to develop an information assurance roadmap that evolves with them, adapting to the threat landscape and contextualised to their business and industry.

In 2018 and beyond, we will continue to work with customers to discuss how to manage their information assurance risk and how they can implement a cybersecurity strategy to prepare, protect, detect, and respond to threats. As a leading security services provider, we will assist customers in implementing risk controls to managing issues arising from people, process, environment, and technology – well beyond just the NDB Scheme.