Compliance with cyber security regulations is just the first step

27 May 2019

Alex Craggs, Manager, Advisory |

There’s been much change to the cyber security regulatory landscape in Australia in recent years. Of greatest impact has been the introduction of the Privacy Amendment (Notifiable Data Breaches or NDB) Act 2017, or, ‘Notifiable Data Breach Reporting Scheme’, in February 2018. This amendment requires data breaches to be reported to both the consumers affected by the breach, and the Australian Privacy Commissioner. Large fines may be enforced on organisations found to be non-compliant.

High confidence in meeting NDB requirements

It has been great to see many Australian organisations preparing to meet these requirements. Results from the 2018/2019 BDO and AusCERT Cyber Security Survey show that respondents were significantly more confident and prepared to meet their NDB obligations in 2018, compared to 2017 (55.9% completely confident in meeting NDB obligations in 2018, up from 11.2% in 2017). This clearly indicates that respondents have dedicated significant time to prepare and create data breach response plans that include the various steps involved in managing a breach notification and who needs to be notified when a breach occurs.

Testing is the key to success

However, the survey results also show that respondents are failing to adequately and regularly test these response plans - a key step in the process. History has shown us the truth of the adage “no battle plan survives the first encounter with the enemy”. Best to test the ‘battle plan’, or in this case cyber response plan, before it is needed to ensure as many possible scenarios are covered and it can be run through without a hitch when required.

Here are a few tips for testing notifiable data breach response plans:

1. Identify as many scenarios as possible that could result in a data breach

Data breaches that require notification come in many forms – from accidental disclosures, such as emailing Personally Identifiable Information to an incorrect recipient, through to intentional disclosures, such as by malicious attack. A response plan should define the type of response required for each scenario, including who and when to notify and what staff members need to be involved

2. Communicate the plans to all involved parties

It is important that everyone in the organisation knows about the organisation’s data breach response plan and is aware of their roles and responsibilities in case the plan is enacted. Have staff members involved in testing, even for scenarios where they may not be affected, as they can provide valuable insight that may have otherwise been overlooked

3. Test, test, test!

Regularly test the plans through tabletop exercises. After each test, determine where the plan may need to be improved and ensure it is then updated and re-circulated as required. This may seem repetitive, but repeated testing really does aid in helping people remember what is required of them when they experience a data breach or cyber attack.

If you would like to discuss establishing or testing your organisation’s data breach response plan, get in touch with a member of the BDO Cyber Security team.

Download the 2018/2019 results report