How to prepare for Australia's imminent compulsory data breach notification scheme
If you need assistance with responding to the upcoming Notifiable Data Breaches scheme, contact Doll Martin Associates at firstname.lastname@example.org or via the button at the bottom of the page.
Data breaches, by the dollars
The 2017 Cost of Data Breach Study  by released by the Ponemon Institute put the average cost of a data breach in Australia at $2.51 million US dollars.
These costs stem only from the impact of breach itself and do not include any penalties and fines suffered from non-compliance with the Privacy Act or suffered as a result of court action.
The report does note that the time to identify and contain data breaches has a significant impact on costs. Knowing what breach risks your business faces, and how to respond to them in an efficient and structured manner will ultimately bring down costs.
Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on the 22nd February 2018. Australian organisations will be required by law to notify individuals within thirty days when their personal information has been compromised. Despite the encroaching initiation date, there is still a lot of uncertainty around the specifics of the scheme. Does the NDB scheme affect my organisation? What kind of incidents need to be reported? And do we even have the required processes in place to identify a breach?
You might be tempted to solve any security questions by buying a single off-the-shelf software solution, but software alone won't save you from the costs and activities involved in adequately responding to a data breach. It can't easily alert you to suspicious staff activity or unsecured data in your own system and it will find it very hard to account for the myriad of emails, USB sticks and online personal data stores often used by employees.
Instead, organisations should pursue a smarter and more structured response to data breaches, and take advantage of the incoming NDB scheme by taking the time to perform a meaningful data security risk-minimisation exercise.
What steps do you need to take to prepare for next February?
Who has to comply with the NDB scheme?
Any Australian government organisation, any Australian organisation with an annual turnover of more than $3 million, or any organisation that handles health information has to comply. Any organisation that collects tax file number information must comply with the NDB scheme for breaches involving that information.
In short, if you already have obligations under the current Privacy Act you will need to comply with the NDS scheme, which requires you to report data breaches that are likely to cause serious harm. The scheme is not designed to be an onerous requirement and the penalties for non-compliance are compounded much more by the financial and reputational harm that can result from a data breach which is why the introduction of the NDB scheme is a great opportunity to implement good data breach practice in your organisation.
What should you do now?
This really depends on how rigorous your organisation's current data breach procedures are. In the event of a breach you will need to be able to quickly start remedial action while assessing the seriousness and likelihood of the harm each breach could cause. You'll then need to management a communications project which delivers this information, along with your recommended next steps, to a range of stakeholders which may include customers, clients, partners and the Office of the Australian Information Commissioner (OAIC).
For organisations that understand their data landscape and the risks involved, and who have formulated response and notification strategies, only a simple reporting step is required.
But for many organisations this groundwork is lacking.
Doll Martin Associates suggests starting with a data-centric approach. By February next year, you should know what data you collect, what data is classified as personal information, and what the security, access and technical arrangements are regarding its storage. From this you’ll be able to come up with a data risk profile specific to your organisation.
You can use this information to review and update your data breach response policy, practices and procedures, which should identify which individuals in your business will be responsible for monitoring for breaches, the steps in assessing breaches, and the communication of the crucial information to both the effected individuals and the OAIC. It is important view breaches as not just a technology issue, they are centered on the data you hold and use, and therefore extend to the operational and communications parts of your business.
Doing this requires ironing out some tricky lingering questions about the security of your data. Where are the weaknesses in your technology environment? What doesn’t your security software cover? Would you know if your business’s data was compromised by an internal unauthorised access? Are you aware of the contractual arrangements you have in place with third party providers? Knowing the answers to these questions will save yourself from non-compliance with the NDB scheme and from the growing costs of data breaches.
And, of course if you need any help, just contact Doll Martin Associates at email@example.com or via the button below.