After months of waiting, last month the Notifiable Data Breach (NDB) legislation came into effect in Australia, bringing us in line with many nations across the world who have similar laws in place. After the long anticipation, however, the question now is ‘what's next?'.
GDPR too is just around the corner, with a whole range of new implications for organisations which are active in the EU. The new reality is that NDB is going to help organisations realise there are unknown threats out there. With the legislation in place, non-compliance is no longer an option.
Because of NDB, businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. Businesses who don't commit to protecting their customer's data will finally have to face the consequences, and for many, this will be a big wake-up call.
According to data from the Attorney General's Office (Identity Crime and Misuse in Australia 2016), 5% of Australians, in other words, almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.
Non-compliance with the legislation is only set to see the number of reported breaches rise and consumers exposed, as organisations who previously kept breaches under wraps now have to come clean. The repercussions for non-compliant organisations are also steep and we are yet to see the full spectrum of how this will be managed when a large-scale breach occurs.
But compliance is more than just meeting regulation commitments, it's about adapting to a threat-aware, risk-based approach. There's a broad scope of readiness among Australian businesses; some have encrypted and properly stored their data well and truly ahead of the legislation coming into effect. Others may not have even started their NDB readiness journey, too overwhelmed or not sure where to start.
NDB will hopefully shift the dial on the way organisations think about the threats they face and the necessary steps to mitigate risks before a breach occurs.
So, how can organisations adopt this threat-aware, risk-based approach?
The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within the 30-day specified timeframe of NDB. The organisations, therefore, need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.
Taking the approach to always anticipate and avoid risks where possible, it is necessary to minimise both the number of network intrusions and their time to detection. This reduces exposure to the potentially crippling implications of a serious data breach. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.
Running a full risk assessment is a useful exercise too. This highlights any potential issues and helps you avoid further problems down the track by managing risks before they become a big problem. It also helps your organisation be quick to identify when breaches have happened and report in line with NDB's requirements.
If your organisation doesn't have the correct processes and systems in place, it's not too late to adopt a threat-aware, risk-based approach. Taking the proper steps to manage issues before they arise will help keep you on the right side of compliance and your organisations' wellbeing intact.