On 22 Feb 2018, new privacy laws came into effect in Australia, known as the Notifiable Data Breach (NDB) scheme. Designed to create more transparency and protect the rights and security of individuals, the scheme regulates the reporting and notification of eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and the impacted individuals.
Despite the scheme being in place for nearly two years, there are still so many Australian businesses that don’t understand how to meet the requirements for the amendment to the Privacy Act.
Not only does your business need to be aware of what constitutes a notifiable data breach, but it should also have a suitable response plan that can be quickly implemented should a data breach occur.
As thousands of businesses across Australia know, we take security seriously. Not only are we committed to protecting our own data, we also offer cyber security services to protect other businesses’ data as well. Keep reading to learn more about what notifiable data breaches are, and how you can ensure your business remains compliant.
What is a data breach?
Put simply, a data breach is a security incident where private information is accessed without authorisation. Not only is it costly, but it can also hurt businesses and consumers in a number of ways. Depending on the type of information that was breached, lives and reputations can be damaged, taking significant time (and money) to repair.
Some of the ways a data breach can occur include:
- Phishing attacks
- Man-in-the-middle (MitM) attacks
- Drive-by attacks
- Malware or viruses
- Human error
- Employee theft
As businesses continue to rely upon technology and the cloud for data storage, it’s likely we’ll see more breaches occur as time goes by. Only last year, the OAIC received 245 notifications between 1 April and 30 June 2019 – and that’s just the ‘notifiable’ ones!1
When is it considered a ‘notifiable data breach’?
A data breach is considered notifiable when it’s likely to result in serious harm. Examples of serious harm include the following:
- Identify theft
- Financial loss through fraud
- A likely risk of physical harm, such as from an abusive ex-partner
- Serious psychological harm
- Serious harm to an individual’s reputation
If your business is covered by the Privacy Act 19884 and it experiences a data breach that is likely to result in serious harm, you must notify affected individuals and the OAIC. Generally speaking, businesses have 30 days to assess whether a breach is likely to result in serious harm. In that timeframe, they must also try to reduce the chance that an individual experiences harm. If the business can successfully limit harm, they’ll still need to inform the OAIC, but may no longer need to advise the individual (depending on the type of breach).
An example of a data breach that resulted in serious harm was in 2015, prior to NDB scheme being in place, when Telstra partner Sensis published hundreds of silent numbers on its online version of the White Pages.2 While Telstra and Sensis both investigated alongside the Privacy Commissioner, if this were to happen under the new scheme they would have been required to report it within 30 days to the OAIC and the impacted individuals. They may also have been required to cover the costs of relocation for the impacted individuals to help avoid serious harm.
Of course, this type of data breach is an example of human error; according to the OAIC, 34% of NDBs between April and June last year, were a result of human error. More concerning, however, was that 62% were attributed to malicious or criminal attacks.1
Protecting your business from cyber attack
Globally, the average cost of a data breach to a company is $3.86 million3 – which means it’s certainly not something to take lightly. While processes to minimise human error can be implemented, a bigger investment needs to be made in order to protect your business from malicious activity.
Many companies are now opting to outsource their cyber security needs to a Managed IT Services provider (MSP). By working with an MSP, not only do you have access to a team of specialists – often for less than the price of hiring just one internal IT technician – but you also have 24/7 support and access to the latest technology, ensuring your network and data is as secure as possible from cyber attack.
At Spirit, our cyber security services include Managed Firewalls, Managed Wi-Fi and Endpoint Protection. Each service is tailored to your business’ unique requirements, ensuring you have closely-monitored ‘always on’ protection from cyber criminals.
Having a response plan for notifiable data breach
Even with the best cyber security in place, it’s important to note that there is still potential for a data breach to occur. Technology is advancing at a rapid rate – and cyber criminals are only getting smarter. That’s why the amendment to the Privacy Act also requires businesses to have a documented response plan should they be impacted by a notifiable data breach.
A data breach response plan enables your business to respond quickly, substantially decreasing the impact of a breach on affected individuals. A quick response will also reduce the costs associated with dealing with a breach, and can reduce the potential reputational damage that can result.
The OAIC recommends that your response plan be documented in writing to ensure everyone at your organisation clearly understands what needs to happen in the event of a data breach. It should cover the following information:
- A clear explanation of what constitutes a data breach.
- Potential strategies for containing and remediating the breach.
- Any legislative or contractual requirements, such as the requirements of the NDB scheme.
- When and how affected individuals will be notified.
- Criteria for determining which external stakeholders should be contacted (eg. law enforcement, the media, regulators such as the OAIC, etc.).
- The roles and responsibilities of staff.
- The circumstances in which a senior manager can handle a data breach, and when it must be escalated to a response team.
- How your business will record data breach incidents, including those not escalated to a response team.
- Reviewing the data breach, including how it occurred, the success of your response and how you can improve.
In order to be compliant with the NDB scheme, it’s critical that you ensure your business has the capability to implement its response plan as priority should a data breach occur.
Responding to – and defending against – data breaches with Spirit
The OAIC strongly recommends that you have a team responsible for managing and executing your plan should a data breach occur. While this team will most likely include members of your staff, such as an IT manager or team leader (depending on the size of your business), it can also include your Managed IT Services provider.
At Spirit, our cyber security services can help prevent data breaches, and also ensure you stay compliant with the Privacy Act should one occur. Get in touch with one of our specialists today to learn more about how we can help.