The Mandatory Data Breach Notification Scheme will come into effect in February 2018. Find out how it will affect your organisation, what you need to know and take advantage of our security checklist to ensure your organisation is ready for the changes planned.
An amendment to the Australian Privacy act was passed by the Senate in February 2017 which established a Notifiable Data Breaches (NDB) scheme in Australia which will commence on 22nd February 2018. The NDB will require all organisations currently covered under the Australian Privacy Act to advise individuals if their data has been breached and may result in loss or damage. In addition, organisations will need to provide affected individuals with recommendations they need to take to protect from further damage.
The first obvious effect on organisations is the importance of confirming a data breach, its seriousness and implications to individuals involved. This means organisations will need to be ready to conduct regular ongoing assessments to ensure breaches are detected in a timely manner so they can remain compliant under the legislation.
This legislation ushers in the era of data protection where organisations who have not already done so, will need to ensure that they strengthen their security posture to ensure personal information is protected. The transparency afforded to end-users through the introduction of the Notifiable Data Breach scheme will in turn reward organisations with strong security protocols and provide a competitive advantage over those who don't.
What would be considered a Notifiable Breach?
Data breaches which occur and can result in damage or harm to an individual due to the lost data would be considered a Notifiable Data Breach. This would include any unauthorised access to data, unauthorised disclosure or information being held by the organisation being lost.
Instances of data breaches can include (but not limited to) -
Is your Business Ready for NDB?
The simplest way to ascertain whether your organisation will be affected is to find out if it is covered by the Australian Privacy Act. If it is, then it will also fall under the NDB scheme. If your organisation falls under the scheme, it's certainly time to have internal conversations around what this means to your organisation and who needs to be involved.
Here is a security checklist to get you started -
Your first step should involve performing a data review -
Prepare a breach response plan -
Review your current monitoring and controls -
Complete an Information Security Risk Assessment to establish your baseline security posture
How Do You Notify of A Breach?
If you have ascertained that the breach falls under the NDB scheme, you will need to advise all affected individual as well as the Office of the Australian Information Commissioner (OAIC). The notification must cover the following points -
Next Steps
As with everything in life, prevention is always better than cure. With that in mind, if you have not already started your security preparation, it is imperative that you get moving! If you need any assistance in preparing to meet your obligations are under the new legislation or would like assistance in fortifying your security posture, just reach out, we are here to help.