Chill IT manages the Essential Eight (Australian Cyber Security Centre) for clients, a prioritised list of mitigation strategies to protect data breaches to their system against Cyber Attacks.
You will have seen many recent reports about data breaches in Australia and around the world. Obviously, you want to keep your and your customers’ private data secure. However, do you know your obligations?
An important change occurred on 22nd of February 2018 when the Notifiable Data Breaches (NBD) scheme came into effect.
The notifiable data breaches (NDB) is a scheme under the 1988 privacy act that discusses the requirements for entities responding to a data breach. It is an obligation for organizations to notify the breached parties whenever a data breach is likely to result in “serious harm” to any individual whose personal information is involved in the breach. Serious harm includes physical, psychological, emotional, financial and reputational harm. The Australian Information Commissioner must also be notified of eligible data breaches.
Who must comply with the NDB scheme?
- Agencies and organizations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
- Agencies and organizations that already have obligations under the privacy Act 1988 to secure personal information.
- Entities that have privacy act obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect other types of information outside the scope of their obligation.
- Regulated credit providers (banks or other credit providers).
A data breach occurs if there is an unauthorized access to, unauthorized disclosure of, or loss of information. Examples of data breach includes
- Data or records containing customers personal information is lost or stolen
- A database containing personal record is hacked (Page up recent breach)
- A cyber-attack that results in personal information being disclosed
- Personal information is mistakenly provided to the wrong person
- Employees browsing sensitive customer records without any legitimate purpose
A preparatory checklist
The following steps will help prepare organizations for the new notifiable data breach regime.
- Conduct an information security audit (and fix any issues)
- Establish a data breach response team (In house team or outsource)
- Update and test your data breach response plan
- Update your internal cyber security policies and train staff
- Review key contracts with third party service providers
References
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
https://acsc.gov.au/publications/protect/essential-eight-explained.htm
