Story image

Are you ready for the new Australian NDB regulations?

05 Dec 2017

Similar to the EU (GDPR to come into effect in May 2018), Australia is following suit with the Privacy Amendment (Notifiable Data Breaches) Bill , to be enacted into law on 22 February 2018.

Because of mandatory data breach requirements (MDB), businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. It is also important to note that MDB, much like the GDPR, will affect all organisations and customers globally that have dealings with companies in Australia.

According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), five percent of Australians, in other words almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.

Both Australia’s impending Mandatory Data Breach notification law (MDB), and the European Union’s General Data Protection Regulation (GDPR), are a response to these concerns.

With stringent criteria, obligations, and considerable non-compliance penalties, both the effort of attaining compliance and the risks associated with non-compliance, will undoubtedly increase, and the scale of the changes means organisations should start preparations now.

So, what are the key challenges for organisations?

Complying with the timelines

Australia’s MDB requires organisations to evaluate and report incidents within 30 days. Even more worryingly, GDPR legislation – which affects any Australian company with Australian customers or partners – requires notification within 72 hours.

The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within these specified timeframes. The organisations therefore need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.

Compulsory regulatory notification

Currently, whilst organisations subject to the Privacy Act are 'encouraged' to notify Australian Information Commissioner (OAIC) in the event of a data breach, they have no legal obligation to do so. The legislation changes will make the response to these incidents compulsory and time critical.


Under the new laws, where an organisation has committed "serious or repeated non-compliance with mandatory notification requirements", they could be faced with penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.

Hence a significant data breach to your organisation can be financially crippling, with a range of resultant costs like- business interruption, incident response, third party claims and legal costs, to customer notification expenses and damage to data.

Individual rights

Under the GDPR, individuals are protected against being subject to determinations based on automated systems without human intervention. As such, practices employed by organisations similar to what the Australian Department of Human Services had adopted with its Centrelink automated debt recovery project may find themselves in deep water.

Network security challenges for Aussie organisations

The challenge of evolving threat landscape is compounded by the adoption of trends such as mobility, cloud computing, and the Internet of Things, all of which expand the effective attack surface, exposing new vulnerabilities, and eroding the traditional concept of a network border.

Preparing for the new regulations

With these significant changes set to be introduced, it is important to start considering them as soon as possible. While data privacy compliance is not something that can be achieved through technology alone, the provision of state-of-the-art network security is clearly an essential first step.

To reduce exposure to the potentially crippling implications of a serious data breach, it is necessary to minimise both the number of network intrusions, and their time to detection. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.

Running a full risk assessment can be a useful exercise too. This will highlight any potential issues and enable you to act now to avoid problems when the regulations are introduced. Insurance could also be a consideration, covering losses that may be incurred, while ensuring the right expertise is available when a data breach occurs.

A prudent risk manager should consider their obligations and make sure the correct processes and systems are in place ahead of the legislation coming into effect. And, given the volume of work required to comply with the regulations, starting now is essential.

Article by Jon McGettigan, senior director, Australia, New Zealand & South Pacific Islands at Fortinet.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
emt Distribution adds risk intelligence vendor
Flashpoint has signed emt Distribution to provide channel partners in Oceania and South East Asia a solution for illicit threat actor communities.
CrowdStrike: Improving network security with cloud computing solutions
Australian spending on public cloud services is expected to reach $6.5 billion this year according to Gartner
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.