Small and medium sized organisations are increasingly under pressure to comply with the Notifiable Data Breaches Scheme, which came into effect in February of this year. This comes as a surprise to businesses with a turnover of less than $3 million, as the legislation applies to organisations with a higher turnover that are subject to the Privacy Act.
The reason that SMBs are being asked to comply with the NDB scheme, an amendment to the Privacy Act 1988, is because of their supplier relationships with larger companies. The bigger organisations that are subject to the NDB are beginning to realise that small suppliers are often the weakest link in their security chain. Hackers often target small companies knowing that their information security practices usually don’t meet the standards that large companies have put in place.
As a result, hackers will use the supplier relationship, and the interlinked business networks, as a stepping stone into the larger organisation’s network – compromising their systems and stealing sensitive information, leading to a data breach.
In the most recent statistics released by the Office of the Australian Information Commissioner, which oversees the NDB Scheme, there were 242 notices of breaches. This reporting period ran from 1 April to 30 June 2018.
The top sectors that notified the OAIC of an eligible breach was led by the healthcare sector, which was responsible for 49 breaches, while finance came in second, with 36 breaches. Legal, accounting and management services came in third, with 20 breaches, followed by education, with 19 breaches, and business and professional associations, which were responsible for 15 breaches.
Of those breaches, most involved the personal information of 100 or fewer individuals. Eighty-nine percent of breaches involved contact information, 42 per cent were financial details, and 34 per cent were identification data. Fifty-nine percent of breaches were the result of malicious or criminal action, 36 per cent were the result of human error, and 5 per cent were attributable to system faults.
The OAIC report demonstrates that most of the businesses involved in disclosing a breach were the types of organisations that have extensive supplier relationships with smaller companies. In the healthcare, legal and finance industries, there are myriad smaller companies with ties to larger firms in terms of business or supplier agreements.
This also means that their IT systems are entwined, with smaller companies being provided access to the larger companies’ systems. This creates a stepping stone entry pathway for any hackers that want to compromise the larger organisation’s systems. Put simply, smaller companies usually don’t have the resources to spend on IT and cybersecurity, and are frequently concerned about what it will cost them to comply with laws like the NDB Scheme.
Despite the fears of small companies about compliance and cost, there are substantial benefits to complying with the Privacy Act and the NDB Scheme. Compliance creates a more secure, healthier environment for all business activity, as well as providing reassurance to the customers of both large and small organisations that their personal data is being handled appropriately.
Much of the pressure that is being placed on small business in terms of compliance is coming from the legal fraternity. Legal advisors for large companies are concerned about supplier relationships, and what it means for a breach notification if a smaller company is compromised and used as a path into a larger company’s systems.
There’s still a large grey area around the NDB scheme when it comes to breach notifications; if there is a supplier relationship and there is a breach, who needs to disclose it? Is it only the final organisation in the supply chain, or is it all the organisations that have been compromised down the line? These questions remain unanswered, but they are also the reason that lawyers are putting pressure on the smaller companies to step up. They don’t want liability to fall back on them if there is a data breach somewhere in the IT chain.
Smaller companies, (in excess of 90 per cent of Australian businesses) need to respond by seeking legal advice that mitigates their risk. At the end of the day many big businesses depend on smaller service providers, so the solution lies in negotiation and careful documentation of the terms of the agreement – including the cyber security obligations – so that both sides are protected and know what is expected.
The good news is that security and compliance don’t necessarily have to involve a huge resource and budget outlay. The reality is that an investment in good security is an investment that will pay off over time, with better supplier relationships and more trust from customers. It’s imperative for SMBs to invest in the future of their company by engaging in best practices for data protection, regardless of whether they are officially required to by the NDB scheme.
Helaine Leggat is a board director for the Australian Information Security Association (AISA) and head of cyberlaw at Sladen Legal.