Is your organisation ready for mandatory data breach reporting?
Australia has entered into a new cyber security era with the Notifiable Data Breaches (NDB) scheme that came into
effect on 22 February 2018.
The scheme impacts all organisations with a turnover of more than $3m, and many others below that threshold that hold personal data,
including banking details, medical records, addresses and phone numbers in hard copy or digital format. In short, the NDB scheme applies to
any organisation that is considered an APP entity under the Privacy Act.
From 22 February 2018 onwards, data breaches – whether actual or suspected, and applying both to staff and client data – legally must be
reported to the Office of the Australian Information Commissioner (OAIC). In addition, the
individuals whose data is compromised must be notified 'as
soon as is practicable'.
Non-compliance can attract steep penalties of up to $1.8 million for businesses and $360,000 for individuals.
Why has the Federal Government taken this action?
For a variety of reasons, Australia has been identified as an attractive target for cyber criminals, who use our relatively small population
to test new attack tools. In 2017 59% of organisations in Australia reported business-interrupting security breaches on an at-least monthly
What constitutes a reportable data breach?
According to the OAIC, a reportable data breach is unauthorised access to or disclosure of personal information about one
or more individuals where this could result in serious harm, including:
The likelihood of harm occurring is a factor and can depend on the sensitivity of the information, whether it has been
encrypted and how vulnerable security measures might be to hacking. If an organisation suspects a breach has occurred, it is required
to record a detailed assessment of
whether this has happened within 30 days.
Being able to remediate the issue immediately is an important aspect of the likelihood of harm occurring. This is a
compelling reason for having dedicated cyber security resources and a coordinated plan in case of a breach.
Have an action plan
The first step of an action plan is appointing a dedicated team of trained personnel who can take immediate action to
respond quickly and effectively if a suspected breach occurs.
You also need a checklist in place to apply a methodical approach to containing, evaluating and notifying the breach, and preventing
Organisations should as a priority conduct an up-to-date audit of the data they collect on their clients and customers, keeping only what is
essential to operations. This information must be encrypted and secured.
Line up your resources
In the case of a data breach, in-house or external resources should include a technical forensics analyst, legal counsel and
communications specialist to
enable an immediate response and damage limitation.
Specific insurance cover is also highly recommended. A comprehensive cyber insurance program needs to cover multiple risks, from financial
loss to legal costs, and should be put together by a broker who understands both your operation and how a data breach could impact
For more information on any of the content in this article please contact James Healy of Gallaghers at James.Healy@ajg.com.au