The Notifiable Data Breaches Scheme

The who, what, when and how, you need to know.

The Privacy Amendment (Notifiable Data Breaches (NBD)) Act 2017 came into effect on February 22, 2018.

Australian organisations that meet a certain criteria under the Privacy Act 1988—be they for-profit, not-for-profit, business or government—must comply with this new amendment.

Any unauthorised access to Personal Information must be reported if there is a likelihood of serious harm to the individual who is the subject of the information. The Act requires you to secure data and notify impacted individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an Eligible Data Breach.

The OAIC explains that an Eligible Data Breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur)
  • This is likely to result in serious harm to any of the individuals to whom the information relates.
  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

Your reputation as a good steward of stakeholder and customer data is now on the line. It’s more important than ever to ensure that not only your IT personnel, but all staff, have the skills to minimise privacy breaches and correctly manage incidents of compromise.

Any Australian business or organisation to which the Australian Privacy Principles (APP) apply will be required to comply with the new legislation (APP Entity). APP Entities include:

  • Australian Government agencies; and
  • all businesses and not-for-profit organisations with an annual turnover of $3 million or more.
  • Some small business operators, including:
    – All private sector health service providers
    – Those that trade in personal information
    – Tax File Number (TFN) recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information)
    – Those that hold personal information in relation to certain activities, for example; providing services to the Commonwealth under a contract.

Basically, if your organisation collects any of the following details, you are impacted by the revised Privacy Act:

  • Credit reporting or building data
  • Personally identifiable information
  • Tax data

The first step any organisation covered by this act must do is consider the following 4 points:

Prepare

  • Identify at risk data

Protect

Detect

  • Ensure Systems are up to date
  • Consider the ASD Essential 8 security strategies to mitigate risk

Respond

In the event of a breach, the OAIC recommends the following four step process:

  • Contain the data breach to prevent any further compromise of personal information.
  • Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals, and where possible, taking action to remediate any risk of harm.
  • Notify individuals and the Commissioner if required.
  • Review the incident and consider what actions can be taken to prevent future breaches.
  • Useful information can be found in the OAIC Guidelines – Data Breach Preparation and Response.

It’s imperative that you review your data security policies, procedures and systems to ensure you’re protecting the data as best you can and to do so on a regular basis to allow for the evolving threat landscape.

If your organisation suffers or you suspect that your organisation has suffered an Eligible Data breach, it must be reported to the OAIC and the individuals involved. Reporting should occur as soon as possible to minimise the risk of harm. In any event, the investigation of the incident and subsequent reporting should occur within 30 days of the incident.

More information on the mandatory notification obligations can be found here.

The manner of Notification will depend on the nature of the breach and will generally be in the manner that customers usually use to contact the individual, must be secure, and must reasonably continue to protect their privacy.

The statement to the Commission and any notification needs to include the following:

  • The name and contact details of your organisation
  • A description of the Eligible Data breach
  • Information compromised
  • What clients should do to in response to the Eligible Data breach

For more information, consult the OAIC website.

Currently, there are two classes of penalties for failing to adhere to the privacy act:

  • The legal consequences may include a public investigation resulting in civil penalties of up to 10,000 penalty units — equating to $2.1 million since a rise earlier this year of the value of penalty units under Commonwealth law.
  • The potential for reputational damage can be even more harmful. The inevitable PR nightmare following a data breach can cause considerable financial damage and has the potential to impact future revenues.

There are strategies our customers can put in place that will help protect themselves against the threats:

  • Implement an Essential 8 Strategy
  • Install endpoint protection with advanced malware detection
  • Implement Email, Web and Secure Internet Gateways that prevent access to malicious websites and detect malware
  • Ensure Network Security appliances such as NGFW, NGIPS are updated and can detect malicious network activity
  • Implement Security Automation, Orchestration, Visibility and Forensics Tools with Incident Response Capabilities
  • Implement a layer of Data Loss and Data Leakage solutions, to prevent deliberate and/or erroneous loss of information
  • Take a Security Assessment to identify gaps in existing security policies
  • Take a Penetration Test to identify potential egress points
  • Implement Two-factor Authentication
  • Train your staff
  • Ensure you have a tested Backup and recovery process

How Data#3 can help.

Data#3 has solution experts and consultants that can advise your company on best practices to comply with this legislation, no matter how prepared, or unprepared you might be.

Our solutions include the following:

Advisory and Professional Services

  • Implement a strategy to improve your security posture with risk and vulnerability assessments
  • Security awareness workshops and training to ensure users are not your weakest link
  • Security policy development and review
  • Security architecture review and development

Technology Services

  • Identifying, deploying and managing multiple layers of protection against advanced threats and Data loss
  • Decrease the mean-time to detection and better visibility with advanced SIEM and SOC capabilities

Response and Managed Services

  • Respond to incidents quickly and effectively

 

To discuss how Data#3’s Security team can assist you, please complete the form below.

The information on this page is intended for general purposes only. In the event you suspect unauthorised access to personal information, Data#3 recommends you seek independent legal advice.

Contact a Data#3 Security Specialist

Related

Symantec Cloud Security Threat Report 2019

Adapting to the New Reality of Evolving Cloud Threats Today’s fast growing hybrid IT environment challenges the basic principles of…

A lesson in network planning

IT departments in the education sector have long faced a familiar set of challenges when planning, deploying and maintaining campus…

Symantec 2018 Security Report
Symantec 2018 Internet Security Threat Report – Review

The Symantec brand is synonymous with cybersecurity. Each year, the Symantec Internet Security Threat Report sets a benchmark in highlighting…

Data#3 Security in Education
Security in Education | Expert Panel Discussion

Data#3 invited a panel of industry experts to discuss the evolving security requirements for education institutions, including the recently introduced…