Is your business prepared for the new Australian obligations on data breaches? From February 22 you could be risking your business’ reputation on it.
The new Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 will come into force in Australia on 22 February 2018. Under the scheme, entities will be required to respond to data breaches, including thorough notification obligations, when that breach is likely to result in serious harm to individuals whose personal information has been leaked, hacked or lost.
The NDB scheme provides a new standard in Australia for what is expected of entities that, through error or hack, provide personal information to people who should not have access to it. More than that, the scheme may encourage businesses to reassess the costs of having lack lustre data governance and cyber security policies, as the stakes, the costs and potential reputational damage of a breach, increase.
For too long Australian businesses have relegated cyber security as an ‘IT issue’, but as cyber-attacks become more frequent, and more public – including through the new notification obligations under the NBD scheme – entities that view cyber security as a whole-of-business challenge will be best placed to stay ahead of the curve.
As consumers become more empowered over the security of their personal information, leaks and hacks of personal information databases will become less acceptable, and reputational damage is likely to rival the resource costs and regulatory costs involved in resolving breaches.
Australian businesses have been rocked by a rolling wave of data breaches over the last few years which involved the release of the personal information of customers and employees. In July 2017, Flight Centre mistakenly released customer information, including passport numbers, to third party suppliers. Domino’s customers were targeted in October by scammers after their customer data was breached through by a former supplier. And in November last year, 50,000 Australians had sensitive personal information exposed by an Australian Government private contractor through an incorrectly configured cloud storage service.
All these are examples of breaches which, if happened next month, could be considered a Notifiable Data Breach under the new scheme. Regardless of whether it is ‘merely human error’ or through a targeted malicious attack, from February 22 these businesses will need to consider their reporting responsibilities under the scheme.
Is your business ready? Businesses can start building their resilience to cyber-attacks and tightening their data policies now, in order to prepare themselves for the upcoming changes.
The NBD scheme recommends organisations prepare or update their data breach response plan. A response plan will not only ensure you are compliant under the new scheme but will be invaluable in the first 24 hours after a data breach has been discovered in your business. Quick remedial action may result in your business preventing the likely risk of serious harm on the affected individuals and eliminate the possibility of having to front up with a public notification statement.
Good cyber security practices can start with good data governance. A strong data governance framework will ensure data is handled appropriately with the right security controls, and only handled by those who have an accepted business need. A data governance framework which is supported by software that ensures rules and policies are in place, and reviewed consistently by the right data stewards, will provide businesses the edge in being able to trust their data, and importantly trust the security of their data.
Finally, make sure your staff are aware of the incoming changes and the possible implications for your business. A data breach can look as innocent as an unsecured work smartphone left in a taxi, or the incorrect attachment sent in an email. Making sure your staff are trained on up-to-date and best practice cyber security practices will have a high proportional impact on the training investment.
Speak to EC Integrators on how we can assist your organisation on improving data governance and resilience to cyber-attacks.