You have until February 2018 to prepare for mandatory data breach notifications

Leon Slattery looks at the recent legislation – and you will be surprised at what you need to get done by February next year!

Many people tend to automatically connect data breaches with being hacked. And that includes many in the IT industry. The time has come for a reality check. Breaches can be (and are!) caused by a lot less, and the new legislation calls this out. We’ve summarised the new legislation as meaning two crucial things for your IT department and your organisation more generally.

Firstly, you must understand your obligations under the Australian Privacy Principles (APP), which form part of the Australian Privacy Act. Chapter 11 of the APP is key to this new legislation – where organisations must take “reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.” In short, this means that you need to take action to reduce the chances of a breach occurring in the first place. Those who have been taking a ‘watching brief’ of inaction or simply ignoring the risk are the most exposed. And those who have been proactive need to ensure that they meet the assessment of “reasonable steps”.

Secondly, the reality is that compromise is inevitable. Organisations need to have a breach response process in place to minimise any damage to business reputation and confidence for ‘when’ they are breached. The old view of ‘if’ a breach will occur is no longer accepted, you simply cannot defend against every type of attack. Instead, building resilience is key. You will need to tell the market when you are breached, so you need to be prepared.

And here’s the kicker – you’ve got less than 12 months to get your organisation ready for the laws to come into effect.

Who has to comply with the new mandatory data breach notifications laws?

All organisations bound by the Privacy Act and APP are affected by this new legislation, which includes:

  • Most Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of over $3 million

But that doesn’t mean that you’re in the clear if your organisation has an annual turnover of less than $3 million. The Privacy Act and APP applies to some types of smaller organisations too, meaning that by extension, the mandatory data breach notification applies to them also. Here are some examples:

  • Child care centres
  • Private schools and private education institutions
  • Private sector health service providers
  • And any individuals who primarily handle personal information such as tax file numbers, credit applications and other personal sensitive records.

What qualifies as a breach? Hint: a lot more than you think!

This is arguably the most significant legislation to be introduced in Australia in relation to privacy and information security. It defines what qualifies as a breach – and it goes a lot further than many would think:

  • Hacking, theft and other malicious activities (the obvious)
  • Exposure of sensitive data to an external party (published intentionally or otherwise)
  • Lost or misplaced devices, media or other hardware (e.g. back-up tapes) that contain personal information

What do I need to do – and by when?

Organisations need to move quickly to understand their current posture. We suggest you start with an assessment of your preparedness to meet the Breach Notification responsibilities. Then you can look at a number of best practices that will set you in the right direction.

Having an Information Security Management System (ISMS) aligned with a recognised standard or framework such as ISO 27001 is a sensible starting point. Having an ISMS in place demonstrates a systematic approach to managing an organisation’s sensitive data.

Those who have an established ISMS should review their policies and procedures against their responsibilities under the new legislation to ensure they are adequately addressing the requirement to “take reasonable steps to protect personal information.”

Organisations should ensure that they have a Data Breach Response Plan in place that addresses new responsibilities for mandatory breach notification, which comes into effect on 22 February 2018.

We’d also recommend organisations undertake a review to ensure they have adequate technology and capability in place to minimise the likelihood of a breach and rapidly detect and respond to threats before data is lost. For those without in-house information security expertise should seek guidance from a certified service provider to assist with the above.

So what are the risks of not complying?

The penalties for non-compliance with the mandatory notification scheme are significant for both the organisation and individuals working within it. The legislation outlines the risks in no uncertain terms “Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”

Insurance is always a good idea, but those thinking they can simply ‘set and forget’ a policy against the risks need to think again. Cyber insurers are likely to require demonstration that “reasonable steps” have been taken to protect personal information in order to provide or pay out on insurance policies. Non-action is not an option anymore. The penalties are just too high.

CSA is here to help – free Mandatory Data Breach Readiness Assessment

We have been consulting to dozens of organisations across public, private and not-for-profit sectors to help them prepare. Our two-hour assessment will evaluate your organisation’s current posture and preparedness against the official guidelines from the Office of the Australian Information Commissioner. You will take away a scorecard and roadmap that will indicate focus areas required to address your responsibilities against the legislations.

Further reading: Official OAIC page

About the Authors

Leon Slattery is Portfolio Manager Network and Security at CSA. Leon’s security domain knowledge has been acquired over 12 years of experience in the IT services industry focusing on development and delivery of innovative network and security solutions for customers. Leon has applied his skills for clients within Utilities, Finance, Health and Higher Education industries giving him insight into the unique challenges faced in securing information in these environments.

Leon Slattery

Portfolio Manager - Network & Security