From 22 February 2018, organisations will have to notify the Australian Information Commissioner and affected individuals when they experience a data breach — a change that shifts more of the onus onto directors to oversee cybersecurity.
The Notifiable Data Breaches (NDB) scheme is a “new and expanded” aspect of the existing directors’ duties, says Lis Boyce GAICD, a partner at law firm DibbsBarker who advises clients on governance, operations and strategy.
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, organisations covered by the Privacy Act must notify any individuals likely to be at risk of serious harm as the result of a data breach, according to the Office of the Australian Information Commissioner (OAIC). And they must supply the individuals with recommended steps they should take to protect themselves.
They are also required to notify the OAIC, which can seek civil penalties up to $340,000 for individuals and $1.7 million for companies if a breach occurs, as well as the payment of compensation for damages or other remedies.
It isn’t yet clear exactly when these penalties will be applied. However, Jason Wilk GAICD, a director at management consultancy Blue Zoo, says court actions in the US and UK suggest that regulators are not trying to punish those organisations that have attempted to do the right thing and protect their data.
“If organisations have been wilfully negligent about securing information, then directors are in the firing line,” says Wilk, a facilitator of AICD’s Cyber for Directors program.
“But if there has been some effort to try to understand the magnitude of the problem and work their way forwards, penalties have probably not been applied.”
A notifiable data breach could occur when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
Any organisation that has responsibilities under the Privacy Act 1988 is subject to the NDB scheme, including Australian government agencies and all businesses and not-for-profit organisations with an annual turnover of more than $3m. Some small businesses are also subject to the scheme, such as private-sector health service providers, businesses that sell or purchase personal information and credit-reporting bodies.
The Privacy Act applies to any information collected in Australia and/or with an Australian link to the entity. For instance, if an individual enters their information into a US-based shopping site from Australia, the information has been collected here and so is subject to NDB requirements. An “Australian” link can include having offices in Australia, marketing to Australian consumers or having trademarks and other intellectual property registered in Australia.
When assessing a data breach, directors need to be aware that the scheme takes a holistic view of what is meant by “serious harm”, says Boyce. “This may include psychological, emotional, financial or reputational harm. It could be embarrassment. It could be putting someone at physical risk. If someone has a domestic violence issue and their information gets into the wrong hands, obviously that’s a physical security risk.”
Wilk says, “the devil is in the detail”. For instance, how do directors determine what is meant by “serious harm”? And where the legislation states that organisations must have “reasonable controls over information”, what is “reasonable”?
“One of the hardest things directors are going to deal with is the question: ‘Do you even know what information you have that would fall into that category?’ A lot of organisations wouldn’t,” he says.
Wilk suggests directors use the cybersecurity framework developed by America’s National Institute of Standards and Technology (NIST) when assessing their readiness for the scheme. This outlines five steps that can be taken to deal with all types of cybersecurity issues:
“What are we trying to protect?” is a key question for directors when assessing their preparedness for the data-breach notification. “What information do we have that’s likely to cause serious harm? Where is it?” asks Jason Wilk from Blue Zoo. “It’s not all the information, just certain bits. Until a director knows where it is, they can’t make an informed decision as to whether it has been accessed or lost.”
One simple question directors can ask here is: “If we know what’s likely to cause serious harm, then what are we doing about it?”
This is the step where many organisations fall down, according to Wilk. The issue involves how organisations will know if an outsider has accessed their data.
“We assume that alarms go off when the bad guys come in. The reality is — for most large organisations — that the time between when they’re attacked and penetrated, and when they find out, is in the order of months,” he says.
Many directors think about how to prevent and respond to breaches, but they don’t consider the important middle step of detecting them.
“How do we know that the information that would fall under the act has been disclosed or lost? Or will we actually know?” says Wilk. Technical expertise is required at this point, so directors will have to engage audit or security firms to check the organisation’s monitoring systems and firewalls.
While large companies are usually organised, small businesses and not-for-profits often don’t have the budget to hire consultants, notes Wilk.
Fix the problem and stop more data leaking.
Recovery is about getting back to business as usual. Directors also need to refer back to the Information Commissioner’s guidance about notification (oaic.gov.au). Some of the specific requirements remain unclear, such as how soon a breach must be notified. Is this done via letter or email? And will the organisation need confirmation that the notification has been received?
Though there are some grey areas regarding the details of the scheme and the interpretation of some sections, Wilk says directors can still prepare for its implementation on 22 February by working through the five NIST steps.
NDB scheme: The details
- Starts 22 February 2018
- Requires organisations to notify Office of the Australian Information Commissioner and any individuals likely to be at risk of serious harm after a data breach
- Applies to businesses, Australian government organisations and agencies required by the Privacy Act to keep information secure
- An NDB is one likely to result in serious harm to any of the individuals to whom the information relates
- Individuals can be customers, employees, suppliers, etc.