Are you ready for the new Australian NDB regulations?
FYI, this story is more than a year old
Similar to the EU (GDPR to come into effect in May 2018), Australia is following suit with the Privacy Amendment (Notifiable Data Breaches) Bill , to be enacted into law on 22 February 2018.
Because of mandatory data breach requirements (MDB), businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. It is also important to note that MDB, much like the GDPR, will affect all organisations and customers globally that have dealings with companies in Australia.
According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), five percent of Australians, in other words almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.
Both Australia’s impending Mandatory Data Breach notification law (MDB), and the European Union’s General Data Protection Regulation (GDPR), are a response to these concerns.
With stringent criteria, obligations, and considerable non-compliance penalties, both the effort of attaining compliance and the risks associated with non-compliance, will undoubtedly increase, and the scale of the changes means organisations should start preparations now.
So, what are the key challenges for organisations?
Complying with the timelines
Australia’s MDB requires organisations to evaluate and report incidents within 30 days. Even more worryingly, GDPR legislation – which affects any Australian company with Australian customers or partners – requires notification within 72 hours.
The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within these specified timeframes. The organisations therefore need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.
Compulsory regulatory notification
Currently, whilst organisations subject to the Privacy Act are 'encouraged' to notify Australian Information Commissioner (OAIC) in the event of a data breach, they have no legal obligation to do so. The legislation changes will make the response to these incidents compulsory and time critical.
Under the new laws, where an organisation has committed "serious or repeated non-compliance with mandatory notification requirements", they could be faced with penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.
Hence a significant data breach to your organisation can be financially crippling, with a range of resultant costs like- business interruption, incident response, third party claims and legal costs, to customer notification expenses and damage to data.
Under the GDPR, individuals are protected against being subject to determinations based on automated systems without human intervention. As such, practices employed by organisations similar to what the Australian Department of Human Services had adopted with its Centrelink automated debt recovery project may find themselves in deep water.
Network security challenges for Aussie organisations
The challenge of evolving threat landscape is compounded by the adoption of trends such as mobility, cloud computing, and the Internet of Things, all of which expand the effective attack surface, exposing new vulnerabilities, and eroding the traditional concept of a network border.
Preparing for the new regulations
With these significant changes set to be introduced, it is important to start considering them as soon as possible. While data privacy compliance is not something that can be achieved through technology alone, the provision of state-of-the-art network security is clearly an essential first step.
To reduce exposure to the potentially crippling implications of a serious data breach, it is necessary to minimise both the number of network intrusions, and their time to detection. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.
Running a full risk assessment can be a useful exercise too. This will highlight any potential issues and enable you to act now to avoid problems when the regulations are introduced. Insurance could also be a consideration, covering losses that may be incurred, while ensuring the right expertise is available when a data breach occurs.
A prudent risk manager should consider their obligations and make sure the correct processes and systems are in place ahead of the legislation coming into effect. And, given the volume of work required to comply with the regulations, starting now is essential.
Article by Jon McGettigan, senior director, Australia, New Zealand & South Pacific Islands at Fortinet.