Menlo Security's perspective: Addressing the Australian Notifiable Data Breaches Bill
FYI, this story is more than a year old
Recently, the Parliament of Australia passed a bill requiring Australian organisations to disclose any data breach involving personally identifiable information (PII), including but not limited to tax file number information, credit card information, and credit eligibility information.
With similar laws abandoned in the legislature twice before, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced into the Parliament of Australia on 19 October 2016, and was passed on 13 February 2017. The new Bill becomes law and be in full effect by either an as yet to be determined date, or a year after the Bill receives royal assent.
The new Notifiable Data Breach Bill covers most Australian Government departments and agencies – except for intelligence agencies – as well as all private sector and not-for-profit organisations with annual revenue of AU$3 million (US$2.3 million) or greater.
It also applies, though, to some organisations with annual revenue under AU$3 million, including private hospitals, doctors, pharmacists, chiropractors, other health professionals, gyms, weight loss centres; child and day care centres; private schools; organisations selling or purchasing personal information; credit reporting organisations; and even individuals handling personal information – such as personal credit information, tax filers, personal property information, health records holders, conviction records, etc. – as a business.
Even contracted providers of services to the Commonwealth of Australia a not exempt from the Bill. Other businesses with revenue less than AU$3 million annually, state or local government agencies, public schools and universities, media organisations, and registered political parties and their representatives are exempt from the Bill.
What constitutes a “data breach” under this new Bill?
According to the Bill, and its summary, an “eligible data breach” is when a reasonable person would construe that unauthorised access to or disclosure of personal information might result in “serious harm” to the individuals’ associated with the information. “Serious harm” could include not only economic or financial harm, but also physical, psychological, and emotional harm, as well as serious harm to reputation, and more.
But, data breaches are not only limited to nefarious actions, like thefts or hacks. It can also apply to any accidental loss or disclosure of someone’s personal information caused by an organisation’s failure to apply “reasonable” care in the handling of the personal information.
In this case, “reasonable” can include the type or sensitivity of the information, if the information is protected by one or more security measures – and if that security could be easily hacked, who could obtain the information, if the information has been encrypted or rendered useless or meaningless to the unauthorised person, and the depth of the potential harm to the individual or individuals.
Plus, if an organisation takes corrective action after a breach of PII has occurred that lessens the likelihood of lost or stolen information causing serious harm to affected individuals, the organisation is not required to report the data breach.
In some situations, an organisation may not be sure that a breach involving PII has even occurred. In these cases, Australia’s new Notifiable Data Breaches Bill gives the organisation up to 30 days to investigate whether a breach notification is even necessary. But, according to some publications, if there is a literal interpretation of the language in the new Bill, an organisation must disclose information about a breach, even if they only believe a breach has occurred!
So, if an organisation becomes aware of a breach of personal information or if they even believe a breach of PII is to have occurred, they must prepare a detailed statement laying out the specifics of the breach, and notify both the Australian Privacy and Information Commissioner and any individuals at risk of or affected by the actual or suspected data breach as soon as reasonably possible, or “practicable.” If it’s not possible to notify at-risk or affected individuals of a PII breach, the Bill requires that the organisation publish a statement on its website.
But today, personal information can come from any corner of the world.
According to Australia’s Notifiable Data Breaches Bill, even personal information from anywhere in the world--held or used by an Australian organisation-- that is at risk of or affected by a data breach must be handled in the same manner, as if the PII was from an Australian user.
That can be extremely costly for Australian businesses! Additionally, at the moment, exactly how an Australian organisation should deal with personal information that has been breached or is at risk of breach, but that is stored by an offshore or overseas third-party or partner is rather unclear. So, this leads to more uncertainty for Australian businesses and organisations.
Should an organisation fail to comply with the Bill and its notification requirements, there can be dire legal and financial consequences, in addition to costs to the business’s reputation, including “civil penalties for serious or repeated interferences of an individual’s privacy”, with a maximum penalty of AU$360,000 (US$276,000) for individuals and AU$1,800,000 (US$1.38 million) for businesses.
Now that Australia has passed this Bill, there is anticipation that other countries in the region will likely increase the push in their legislatures for similar bills.
So, if you’re an Australian organisation that has over AU$3 million in annual revenue or is under AU$3 million in annual revenue but deals with tax IDs, credit cards, credit data, or even an individual whose business deals with the same, how can you be sure to protect your users – local and worldwide – from theft and hack of their personal information, and your company or yourself from the fines, bad press, reputation hits and ultimate loss of business and revenue a theft and hack of individuals’ personal information brings?
Isolation technology from Menlo Security can help.
Today’s attackers are smart, motivated and well-financed. In many cases, hackers are driven by greed: The more – and better – personal information they can steal, the more Bitcoin they can get. Some are nation-state based, with an incredible number of resources at their fingertips. They’re attacks are sophisticated and innovative, releasing advancements faster and faster, making it nearly impossible for prevention and detection technologies to keep pace.
Isn’t it time for a new approach?
The Menlo Security Isolation Platform delivers web-malware, phishing and ransomware elimination for any organisation, regardless of size. It supports virtually any computing or mobile device, operating system and web browser, while delivering a seamless, native user experience with no perceptible latency.