Many organisations’ hearts are palpating loudly as the deadline to get ready for the Privacy Amendment – Notifiable Data Breaches Act 2017 looms ever nearer. Coming into effect on February 23rd, now is the time to take action before you’re neck-deep in a data disaster and inadvertently end up with a $1.8M fine.
The Privacy Amendment-Notifiable Data Bill Breaches Act will affect not-for-profit, for-profit and government organisations turning over $3 million or more a year. Certain smaller businesses that handle medical data may also come under the Act.
As of the 23rd of February, any organisation that is affected by an eligible data breach that could result in serious harm must:
- Notify the Office of the Australian Information Commissioner and
- Notify the individuals impacted within 30 days that there has been a breach.
Everything centres around the word “serious”. It is vital that organisations understand what “serious” means. When unauthorised access to data has occurred that presents a real risk of considerable harm, then it’s deemed serious. This relates to illegal access to credit reporting, personally identifying information, building data or tax data.
Serious harm in the Act is defined as,
“serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.” As expounded in the explanatory notes in the Privacy Amendment – Notifiable Data Breaches Act 2017.
If there has been an eligible breach, you must detail in writing the information that is compromised, how you have addressed the security breach and your contact details.
You must notify all clients, suppliers or vendors affected about the breach and what they should do immediately.
Many organisations may feel that this isn’t likely to happen to them, but be aware. Based on the Australian Cyber security Centre’s (ACSC’s) latest Threat Report, cyber-crime is up 15% on last year with 47,000 incidents reported. Of those affected, 56% were from industry rather than the private sector. These are the incidents that we know of. There is little doubt in anyone’s mind that the threat is real and indeed growing.
Here are nine things you can do to reduce your risk and be prepared should an eligible breach occur.
- Create a steering group of people to create a plan for the incident of an attack.
- Understand what data you currently gather and store, how sensitive it is and whether it is necessary to collect it. In other words, know where are you vulnerable and understand how you can reduce your vulnerability.
- Include third parties and managed service providers in your analysis and planning. This might include cloud services or other outsourced data services. Understand where and what data is stored with which provider and what you will do should someone access it. You’ll be responsible for notifying your customers regardless of whether the breach occurred within your organisation or third parties you utilise to store or manage your data in some way. Ensure that third-party suppliers are using the latest security protocols and systems and are compliant.
- Once you have identified the assets that need protection, ensure you are utilising the latest security measures to protect them. Pay particular attention to data transfer. If you are unsure about how to safeguard your organisation, consider adopting the Australian Signals Directories Essential Eight Guidelines for cyber-attacks and incident management.
- Understand who would be likely to attack you. Would it be cyber-criminals, another nation-state or someone internally with malicious intent? Ensure your plan addresses all possible scenarios.
- Look at your insurance coverage and ensure it covers cyber-attacks and that you have enough coverage.
- Have a concrete, distributed and communicated plan of what to do should a data breach occur and who will be doing those tasks and within what time frame. Train up your team and run drills.
- Ensure you have buy-in and support of senior management and the board if necessary.
- Should a breach occur, identify risks and security gaps, notify government agencies and impacted individuals. Be sure to train staff to prevent another breach if human error was the cause.
By February 23rd with the right planning now, you will be more than prepared should a breach occur. While, the pre-work may seem daunting, put the work in pre-emptively and your clients, suppliers and board may well be thanking you in the future.