The deadline has been known for more than two years, yet many Australian organisations are still woefully unprepared for new data breach regulations that come into effect next month.
From Thursday, 22 February, the Notifiable Data Breaches Scheme (NDB) will require all organisations that are covered by the Australian Privacy Act to notify individuals whose personal information has been involved in an eligible data breach that is likely to result in “serious harm”.
Most people responsible for preparing for the new laws believe it is the responsibility of the IT department to prepare for and prevent cyberattacks, however the legislation is actually more concerned with privacy than security.
With just a matter of weeks left, it may already be too late for most organisations to do much about their IT security, but they can still take steps to lower their risk of being fined or found non-compliant thanks to a privacy lapse.
The key steps your organisation should be taking before 22 February include:
1. Understand what constitutes an eligible data breach
A data breach is more than a hacking attack or some other obviously malicious behaviour. Losing a laptop or USB stick with personal data stored on it can be regarded as a breach.
Giving personally identifiable information (PII) to a third party that is out of alignment with your privacy policy can also be a data breach. For example, if your privacy policy says “we will never give or sell your email to anyone else”, but a marketing manager approves giving it to an external marketing company, that could be considered a breach.
However, unless that action is ‘likely’ to result in serious harm, it isn’t an eligible breach as likely means “more probable than not”. Forwarding a single credit card number to the wrong person is unlikely to cause an issue, however forwarding that same single credit card to a large distribution list raises the probability.
Serious harm isn’t legally defined, but is generally accepted to mean a noticeable negative impact on the victim, be that financial, emotional, or reputational. A simple email address lost from a grocery store marketing list is not likely to result in serious harm, but the exact same breach from a business specialising in erectile dysfunction would.
2. Understand what PII your organisation is holding
It is important to have a clear understanding of what information is being held, how it is used, and where it is stored. It’s vital to ensure all users and owners of the data know what would be considered permitted use of that data, and what would be defined as a data breach.
Also, make sure incidental uses of data are considered. A user might never consider opening a spreadsheet of customer details on their phone however, if their phone automatically synchronises email, it may well contain PII which could qualify as a data breach if lost or stolen. It’s important to remind all users of PII that they have a responsibility to handle that data as if their own records were in that data set.
3. Prepare a data breach response plan
Ensure everyone who handles or has access to PII knows how to answer the following questions:
- If an employee gives away, loses, or has PII stolen, who do they report it to?
- Who will assess whether the data breach is eligible, and what remedial actions will be taken?
- How will this assessment process and the decisions made be documented?
- Who has the authority to take damage limiting and remedial actions, including notifying affected people, the OAIC, law enforcement and the media?
If in doubt, it is generally better to unnecessarily report, rather than to hold off reporting for even a few days. Even though no credit card fraud was ever detected in the Sony PlayStation Network breach at the time, the harshest criticism was their seven-day delay to notify customers, as many were anxiously watching their credit cards. Sony had to pay for fraud watch services for millions of customers afterwards.
4. Review the OAIC “Guide to securing personal information” [1]
Fines are not there to add insult to injury after someone has been hacked. Rather, they’re penalties to those who haven’t taken due care. If you can show the OAIC that you followed their guide, and you still got hacked, they would find it very difficult to fine you.
5. Prepare a longer term PII strategy when you have time
Remember that your strategy should not be an IT strategy, but a business and legal one. Holding PII is a risk and all risks have a cost, calculated as ‘frequency of risk’ x ‘cost of event’. Securing PII is a cost of mitigating the risk, so if the benefit to the business does not exceed the cost of holding PII, it’s a poor decision to hold it. Instead, find a way to avoid it.
For example, charities found it prohibitively expensive to become PCI compliant to process donations. Instead, many have used payment processors and paid them very small portion of each donation. This worked out to be much cheaper for the charities. The same principle should apply to PII. This process should guide you as to how much to invest in IT security to protect your PII.
The bottom line
By following these key steps, your organisation will be in a much stronger position when the new regulations come into force on February 22. Taking action now could prevent significant and costly ramifications in the coming months.
See also: Small businesses face stiff penalties under new data breaches scheme, Ombudsman warns
About the author
Ken Pang is Chief Technology Officer at Content Security and has more than 20 years’ experience in the IT industry. He assists in developing the technical capabilities of Content Security’s consultants and engineers, building and strengthening relationships with Content Security partners, as well as delivering practical and effective security solutions for Content Security’s customers.
[1] https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information