When new legislation is introduced that relates to IT security, it is always worth paying attention. Such is the case with Australia’s new Notifiable Data Breaches (NDB) scheme, introduced recently. Few Australian businesses are untouched by the new scheme, but despite media hype, there is no need to panic. A little time spent now can prevent a bigger headache and loss of reputation later, so it is worth understanding what the legislation means to you.
What is Australia’s NDB?
The NDB scheme, part of an amendment to the Privacy Act 1988, laid out requirements for organisations to report data breaches. Not all breaches are covered – the scheme is specifically interested in those that may result in serious harm to the individuals whose data is compromised. When a breach happens, prompt action must be taken. The Office of the Australian Information Commissioner (OAIC) website is a great reference point for detailed information on the NDB scheme.
Data Protection and ‘Reasonable Harm’
No matter how carefully you guard your customer and employee data, breaches do happen to all kinds of organisations – but not all breaches must be reported. An eligible data breach involves three factors:
- There has been unauthorised access or disclosure, or data has been lost.
- Harm could be caused to an individual as a result.
- The organisation holding the data wasn’t able to remedy the situation fast enough to prevent that harm.
‘Reasonable harm’, though, is something of a grey area. To a reasonable person, that might mean information like medical records, credit card numbers, employee history and date of birth. Most of us wouldn’t want our religion, sexual preference and details of our salary handed to strangers, or for cyber-criminals to have access to all they need for identity fraud. Information already in the public domain, such as email addresses or job titles, is not covered. If in doubt, check.
How Do I Know If Data Is Breached?
Many organisations are unaware of breaches to their IT security. A Ponemon Institute report into cyber-security found that financial organisations took an average of 98 days to detect a breach, and retailers around twice as long. Some new technologies cut this time right down to hours, which gives you a far better chance at remedial action.
You can also educate your people to be aware of suspicious callers asking questions to elicit more details, or an increase in phishing emails that appear to know too much. If you suspect a breach, or are informed of a breach by a customer or employee, under the new regulations you have thirty days to investigate. Of course, if suspicious activity shows in a log during a security audit, or a laptop is stolen, act immediately.
How Do I Notify Data Breaches?
You need to inform both the individual affected and the OAIC, giving details of the type of information involved and recommendations on action that should be taken.
How Do I prevent Future Breaches?
An independent security audit is a good starting point when you want to bolster your data protection. Because cyber-crime is increasingly sophisticated, IT security has become a more specialised field, with many services available to help.
Some organisations opt for managed services, so they no longer have to manage day-to-day security, while others consider cloud options. In terms of security, this can be a bargain; even the smallest customer using our infrastructure as a service (IaaS), for example, get the top tier HPE infrastructure and enterprise-level security designed for our government customers.
Prevention is, of course, better than cure, and my team is always happy to help customers to improve their security posture. Time for a data protection rethink? Contact us today.
About the Author
Kevin Koelmeyer is Somerville’s Head of Security, CISSP, TOGAF 9 Certified.