Australia's new mandatory data breach disclosure laws which came into force in February have a particular impact on IT service providers that offer data hosting services to their customers.
The legislation requires businesses and government agencies to report on data breach incidents.
This helps to protect individuals and businesses from the unintended consequences of having their private data exposed.
The sooner a victim is notified of a data breach, the sooner action can be taken to lessen the harm.
Since IT and Managed Service Providers (MSPs) host sensitive information on behalf of clients, who might be individuals or other businesses, the new requirements affect their core operations.
The new legislation establishes requirements for entities in responding to data breaches.
The Office of the Australian Information Commissioner (OAIC) has clear requirements for reporting a notifiable breach.
It is imperative that managed security service providers (MSPs) develop strategies to prevent data breaches from occurring, and a contingency plan for a notifiable breach likely to result in serious harm to a person or organisation.
What does this mean for MSSPs?
Essentially any organisation storing customers' personal information will need to show that certain measures have been established to protect and secure information.
Since MSPs build their businesses on storing third-party information, the NDB scheme is a major issue for them.
Failure to implement a data breach response plan and to show that appropriate steps have been taken in the event of a breach could result in heavy fines and a potential inquest by the Australian Information Commission.
StorageCraft ANZ technical services director Jack Alsop says breach disclosure laws add a level of accountability for organisations already bound by compliance regulations.
“Data retention requirements, operational business continuity and now breach disclosure requirements dictate an end-to-end data protection strategy and architecture for MSPs,” Alsop says.
“Unfortunately, data security and data protection strategies still tend to be separate.
Compounding the data security equation, the European Union's General Data Protection (GDPR) regulations came into force in Australia and New Zealand on May 25.
The GDPR introduces substantial changes to data protection law.
Any company (regardless of geographic location) that is processing the personal data of individuals in the European Union will need to comply with the regulation.
The penalties for non-compliance can be upward of four percent of a company's global turnover.
In spite of guidelines from the OAIC, there have been reports in Australia's business media of confusion and lack of understanding among vendors and stakeholders involved.
In most cases, Australian IT service providers and MSPs are entities covered by the NDB scheme, so they need to be prepared for the new requirements.
For the average service provider, the new laws will mandate new processes for dealing with the change.
They must ensure that appropriate change management is in place to inform staff and respond in the event of a breach.
Alsop says the changes offer significant opportunities for MSPs to improve their internal data protection services, to better secure the data and prevent breaches.
“Breaches of sensitive information often involve access to data stored somewhere, like a backup,” he says.
“If this data is secure, the chance of a breach is dramatically reduced.
Tips for MSSPs
- Understand. Know your exposure to data breaches and mandatory disclosure. Not all companies are required to disclose a breach, although most mid-sized IT and MSPs will fall into the category.
- Prevent. Develop a comprehensive security and data protection strategy to prevent a breach before you need to disclose it.
- Encrypt. Encrypt data wherever possible. Breached encrypted data can still be decrypted somehow, but attackers are likely to focus on an easier target.
- Plan. Develop a response plan that is compliant with the NDB scheme. Any company can be breached so make sure you have a plan in place to deal with it if it does happen. And pretending it will not happen is not an option.
- Business continuity. A data breach (or malware attack) can be very damaging to your business and, therefore, your customers' businesses. You need an end-to-end DR and business continuity strategy to ensure the business can continue on while a breach is notified.