Directors are preparing for the Notifiable Data Breaches scheme when it becomes law in February 2018
From 22 February 2018, organisations will have to notify the Australian Information Commissioner and affected individuals when they experience a data breach â a change that shifts more of the onus onto directors to oversee cybersecurity.
The Notifiable Data Breaches (NDB) scheme is a ânew and expandedâ aspect of the existing directorsâ duties, says Lis Boyce GAICD, a partner at law firm DibbsBarker who advises clients on governance, operations and strategy.
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, organisations covered by the Privacy Act must notify any individuals likely to be at risk of serious harm as the result of a data breach, according to the Office of the Australian Information Commissioner (OAIC). And they must supply the individuals with recommended steps they should take to protect themselves.
They are also required to notify the OAIC, which can seek civil penalties up to $340,000 for individuals and $1.7 million for companies if a breach occurs, as well as the payment of compensation for damages or other remedies.
It isnât yet clear exactly when these penalties will be applied. However, Jason Wilk GAICD, a director at management consultancy Blue Zoo, says court actions in the US and UK suggest that regulators are not trying to punish those organisations that have attempted to do the right thing and protect their data.
âIf organisations have been wilfully negligent about securing information, then directors are in the firing line,â says Wilk, a facilitator of AICDâs Cyber for Directors program.
âBut if there has been some effort to try to understand the magnitude of the problem and work their way forwards, penalties have probably not been applied.â
A notifiable data breach could occur when a device containing customersâ personal information is lost or stolen, a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
Any organisation that has responsibilities under the Privacy Act 1988 is subject to the NDB scheme, including Australian government agencies and all businesses and not-for-profit organisations with an annual turnover of more than $3m. Some small businesses are also subject to the scheme, such as private-sector health service providers, businesses that sell or purchase personal information and credit-reporting bodies.
The Privacy Act applies to any information collected in Australia and/or with an Australian link to the entity. For instance, if an individual enters their information into a US-based shopping site from Australia, the information has been collected here and so is subject to NDB requirements. An âAustralianâ link can include having offices in Australia, marketing to Australian consumers or having trademarks and other intellectual property registered in Australia.
When assessing a data breach, directors need to be aware that the scheme takes a holistic view of what is meant by âserious harmâ, says Boyce. âThis may include psychological, emotional, financial or reputational harm. It could be embarrassment. It could be putting someone at physical risk. If someone has a domestic violence issue and their information gets into the wrong hands, obviously thatâs a physical security risk.â
Wilk says, âthe devil is in the detailâ. For instance, how do directors determine what is meant by âserious harmâ? And where the legislation states that organisations must have âreasonable controls over informationâ, what is âreasonableâ?
âOne of the hardest things directors are going to deal with is the question: âDo you even know what information you have that would fall into that category?â A lot of organisations wouldnât,â he says.
Wilk suggests directors use the cybersecurity framework developed by Americaâs National Institute of Standards and Technology (NIST) when assessing their readiness for the scheme. This outlines five steps that can be taken to deal with all types of cybersecurity issues:
Identify
âWhat are we trying to protect?â is a key question for directors when assessing their preparedness for the data-breach notification. âWhat information do we have thatâs likely to cause serious harm? Where is it?â asks Jason Wilk from Blue Zoo. âItâs not all the information, just certain bits. Until a director knows where it is, they canât make an informed decision as to whether it has been accessed or lost.â
Protect
One simple question directors can ask here is: âIf we know whatâs likely to cause serious harm, then what are we doing about it?â
Detect
This is the step where many organisations fall down, according to Wilk. The issue involves how organisations will know if an outsider has accessed their data.
âWe assume that alarms go off when the bad guys come in. The reality is â for most large organisations â that the time between when theyâre attacked and penetrated, and when they find out, is in the order of months,â he says.
Many directors think about how to prevent and respond to breaches, but they donât consider the important middle step of detecting them.
âHow do we know that the information that would fall under the act has been disclosed or lost? Or will we actually know?â says Wilk. Technical expertise is required at this point, so directors will have to engage audit or security firms to check the organisationâs monitoring systems and firewalls.
While large companies are usually organised, small businesses and not-for-profits often donât have the budget to hire consultants, notes Wilk.
Respond
Fix the problem and stop more data leaking.
Recover
Recovery is about getting back to business as usual. Directors also need to refer back to the Information Commissionerâs guidance about notification (oaic.gov.au). Some of the specific requirements remain unclear, such as how soon a breach must be notified. Is this done via letter or email? And will the organisation need confirmation that the notification has been received?
Though there are some grey areas regarding the details of the scheme and the interpretation of some sections, Wilk says directors can still prepare for its implementation on 22 February by working through the five NIST steps.
NDB scheme: The details
- Starts 22 February 2018
- Requires organisations to notify Office of the Australian Information Commissioner and any individuals likely to be at risk of serious harm after a data breach
- Applies to businesses, Australian government organisations and agencies required by the Privacy Act to keep information secure
- An NDB is one likely to result in serious harm to any of the individuals to whom the information relates
- Individuals can be customers, employees, suppliers, etc.
Latest news
Already a member?
Login to view this content