Is your organisation ready for mandatory data breach reporting?

Australia has entered into a new cyber security era with the Notifiable Data Breaches (NDB) scheme that came into effect on 22 February 2018.

The scheme impacts  all organisations with a turnover of more than $3m, and many others below that threshold that hold personal data, including banking details, medical records, addresses and phone numbers in hard copy or digital format. In short, the NDB scheme applies to any organisation that is considered an APP entity under the Privacy Act.

From 22 February 2018 onwards, data breaches – whether actual or suspected, and applying both to staff and client data – legally must be reported to the Office of the Australian Information Commissioner (OAIC). In addition, the individuals whose data is compromised must be notified 'as soon as is practicable'.

Non-compliance can attract steep penalties of up to $1.8 million for businesses and $360,000 for individuals.

Why has the Federal Government taken this action?

For a variety of reasons, Australia has been identified as an attractive target for cyber criminals, who use our relatively small population to test new attack tools. In 2017 59% of organisations in Australia reported business-interrupting security breaches on an at-least monthly basis.

What constitutes a reportable data breach?

According to the OAIC, a reportable data breach is unauthorised access to or disclosure of personal information about one or more individuals where this could result in serious harm, including:

• physical
• psychological
• emotional
• economic
• financial
• reputational

The likelihood of harm occurring is a factor and can depend on the sensitivity of the information, whether it has been encrypted and how vulnerable security measures might be to hacking. If an organisation suspects a breach has occurred, it is required to record a detailed assessment of whether this has happened within 30 days.

Being able to remediate the issue immediately is an important aspect of the likelihood of harm occurring. This is a compelling reason for having dedicated cyber security resources and a coordinated plan in case of a breach.

Have an action plan

The first step of an action plan is appointing a dedicated team of trained personnel who can take immediate action to respond quickly and effectively if a suspected breach occurs.

You also need a checklist in place to apply a methodical approach to containing, evaluating and notifying the breach, and preventing further damage.

Organisations should as a priority conduct an up-to-date audit of the data they collect on their clients and customers, keeping only what is essential to operations. This information must be encrypted and secured.

Line up your resources

In the case of a data breach, in-house or external resources should include a technical forensics analyst, legal counsel and communications specialist to enable an immediate response and damage limitation.

Specific insurance cover is also highly recommended. A comprehensive cyber insurance program needs to cover multiple risks, from financial loss to legal costs, and should be put together by a broker who understands both your operation and how a data breach could impact it.

For more information on any of the content in this article please contact James Healy of Gallaghers at James.Healy@ajg.com.au