Preparing For The Notifiable Data Breaches Scheme

Source publication: ARN – Click to view on source website

Information Assurance in Australia has always been important to those with ownership of critical data, but as each day passes, it becomes more complex. Virtually all organisations maintain an online presence that contains a wealth of information about the people they interact with. This data is a priceless asset to those who own and use it, and the responsibility for its security cannot be taken lightly.

On February 22, 2018, the Notifiable Data Breaches (NDB) Scheme came into effect after the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 last year. This will impact Australian Government agencies, for-profit and not-for-profit organisations, with an annual turnover of $3 Million or more, credit reporting bodies, health service providers, and Tax File Number (TFN) recipients. These categories are not silos and many organisations find they are two or more of these types.

The NDB Scheme will apply to breaches occurring on or after February 22, 2018, but not before. Since there are several exceptions, such as some small businesses, registered political parties, state or territory authorities and state-based organisations, there is room for improvement. When it comes to safeguarding the personally identifiable information of individuals and the risk to them personally, organisations bear responsibility, whether eligible or not under the NDB Scheme.

For the most part, customers are aware of the new requirements, but are not yet fully aware of how it impacts them specifically. They must first determine if they’re obligated under the NDB Scheme, depending on the size and type of organisation they are, or if they’re in an excepted group. Customers must also understand what constitutes a breach and if it’s eligible for notification by objectively deciding if serious harm is likely. When a breach meets the criteria for notification, the individuals whose information has been breached and the Office of the Australian Information Commissioner must be notified.

While many customers have been actively preparing for the NDB Scheme to come into effect, there is effort that remains. We have been engaging with customers to ensure they understand their obligations, prepare for the scheme, and improve their security posture. An important step in readiness is possessing the capability to reasonably ascertain that a breach may have occurred. Many organisations have inadequate visibility over their data transactions and insufficient resources, including people, technology, and budget. This could mean a breach occurred unbeknownst to the business.

Without doubt, the introduction of the NDB Scheme will trigger an increase in information assurance investments including hardware, software, and consulting services. Growth has already been occurring across the cybersecurity industry and will further increase as customers bolster their defences, operational readiness, and incident response capabilities. The ability to determine if a breach has occurred through technical controls and to take remedial action must be a budgetary consideration for eligible entities. Even if exempt, all organisations should consider their customer obligations.

Some challenges facing our customers today include an outdated mindset that security is exclusively an IT problem and not a problem for the business. Information assurance conversations must be about risks and business impacts; not just technology. All employees of an organisation must understand they bear responsibility in safeguarding the businesses data, and with the rise of mobile and cloud computing, the traditional workspace extends the office to the home and public spaces. Limited resources, human, technical, and budget, means customers may be trying to do their best, but may need assistance to improve.

Our Security Practice leads with an assessment-based approach to help customers first understand their present security posture, which will enable informed decision-making. By using both a shorter-term tactical approach and a longer-term strategic vision, we work with customers to develop an information assurance roadmap that evolves with them, adapting to the threat landscape and contextualised to their business and industry.

In 2018 and beyond, we will continue to work with customers to discuss how to manage their information assurance risk and how they can implement a cybersecurity strategy to prepare, protect, detect, and respond to threats. As a leading security services provider, we will assist customers in implementing risk controls to managing issues arising from people, process, environment, and technology – well beyond just the NDB Scheme.

Tags: Cybersecurity, Information Assurance, Notifiable Data Breach (NDB), Security



Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…

Data#3 named (HPE) Platinum Partner of the Year and Aruba GreenLake Partner of the Year
Data#3 enjoys double scoops at HPE/Aruba awards night

December 08, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is proud to announce that it has…

Azure BaaS
Protecting Data in a Cloud World: Will Backup as a Service be what Keeps Your Business Online Through a Crisis?

Very few organisations could run in a technology-free environment, so naturally, strong IT departments put considerable effort into business continuity…

Azure Site Recovery
Beyond Backup: The Role of Azure Site Recovery in Business Continuity

In the first of our Azure Backup blog series, we discussed the value of data, and the critical importance…

Delivering the Digital Future, Securely – for Western Australia
Delivering the Digital Future, Securely – for Western Australia

Data#3, proudly sponsored by Cisco, Microsoft and Palo Alto Networks, are pleased to present to you: Delivering the Digital Future,…

K-12 Video Period
Securing the school network amidst escalating threats

Security threats are now a routine problem for increasingly connected education institutions. The good news is that a new generation…

Protecting Data in a Cloud World: What You Need to Know About Azure Backup

Welcome to part 1 of our 3-part blog series, exploring data protection options and considerations for when you’re operating in…

The Southport School Revisited
The Southport School: Four Years On

How have their investments in wireless networking and security paid off after four years? Download Customer…