How IT Can Help Save The Pain Of A Data Breach
Posted on March 15, 2018
At the end of February, new laws were enacted in Australia regarding the mandatory notification of data breaches. With large company fines, as well as substantial individual fines for non-compliance, understanding these changes need to be a top priority for every company in Australia. Whilst the changes affect every part of a business, there are important aspects that need to be covered by IT to ensure that risk is minimised.
Notifiable Data Breach (NDB) Scheme
The Notifiable Data Breaches (NDB) Scheme establishes mandatory notifications of data breaches in Australia. It includes all government agencies and businesses covered by the Privacy Act and requires an organization to notify individuals affected by a data breach. The company can then determine if further action is required.
The scheme is designed to strengthen protection of an individual’s personal information and provide transparency of action when a data breach is recorded. Prior to this, data breach notification has been voluntary, with little transparency afforded to individuals.
As of February 22nd 2018, all entities now have a lawful obligation to notify the OAIC when an eligible data breach occurs. An eligible data breach is one in which it’s likely to result in serious harm to the individual whose personal informal is involved in that breach. Harm can be financial or reputational.
Australian Government websites have always been a keen target for hackers, but based on 2015-2016 figures, the Office of the Australian Information Commissioner (OAIC) reported the finance and superannuation sectors were also extremely popular. Health service providers, retail and online services had also a significant number of data breaches.
Currently, according to the ASX 100 Cyber Health Check Report, only 32 percent of companies assess their cyber culture and risk on an annual basis, with only 45 percent of companies confident in their organisation's ability to detect, respond and manage a data breach.
Data breaches can internal or external and vary from an employee having access to a restricted area outside their current role, to an external, targeted cyber security attack.
Whilst the breadth of risk can be overwhelming, steps can be taken to mitigate the risk.
Broad spectrum security can be applied at a network layer. This can be in the form of secure gateways, like Cloud Firewall and DDoS protection, at the carrier level to divert malicious traffic before it hits a corporate network.
These types of products doesn’t remove all risk but with unsophisticated attacks largely ‘held off at the gate’ IT teams can focus on niche risks which can be more difficult to isolate.
The importance of a whole-of-business approach
The ASX 100 Cyber Health Check Report, released last year before the legislation was enacted, called for a greater engagement within entities, not just the CIO or CISO of the company. This report found only 7 percent of ASX company directors clearly understood cyber security in the context in which their own company operated. And almost two thirds of directors (63%) reported their understanding of cyber security risks was limited or non-existent.
With company fines of up to $1.8 million and individual fines of up to $360,000 for non-compliance, it is important to have a good understanding and a strong response plan in the case of a notifiable data breach.
This plan can ensure compliance with legal obligations as well as fast remedial action. The faster an organisation can respond to a data breach, the more likely it is to curb any adverse outcomes.
A good data breach response plan usually follows four-steps: contain, assess, notify, and review.
Data breach response plan - contain, assess, notify, review
Entities have an ongoing obligation to take reasonable steps to protect personal information collected. When a breach is known or suspected, the first step should be to contain the breach where possible. This means taking immediate steps to limit further access to personal information.
Entities then need to assess whether the breach is likely to result in serious harm to the individual or individuals involved. If serious harm is deemed to be likely, the entity must notify the OAIC within 30 days of discovering the breach, notify the affected individuals and implement remedial action to reduce any potential harm if this is possible. Entities have the option of notifying all individuals or only those determined to be at risk of serious harm from the breach. If neither of these options is possible or practical, they may publish a statement on their website, with details about the breach and an explanation of what they are doing to remedy the situation. This notification must be publicised.
Finally, whenever an incident occurs, whether or not it results in likely serious harm, further action should be taken to prevent future breaches in a review of processes. This can include developing a prevention plan, investigating the cause of the breach and rectifying it, updating the entities security and response plan and revising staff training practices.
The incident may also need to be reported to other agencies such as the police, ASIC, financial services providers or the Australian Cyber Security Centre.
Notification can be made to via the OAIC form here.
If you have any concerns about your readiness for the new mandatory data breach reporting scheme or your company’s response plan and cyber security, please speak with Vocus on 1800 032 290.