The data breach notification scheme is here: are Australian businesses prepared?

21 February 2018

The Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into force on February 22, bringing with it potential financial penalties for Australian businesses who fail to comply.

Understanding the nuances of which businesses need to comply, what constitutes a notifiable data breach (NDB), and what needs to be done to report and rectify the breach now needs to be navigated by business owners.

But are businesses prepared for this change? The BDO and AusCERT 2017 Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme - while less than half of the organisations required to comply were confident in being able to do so.

And when respondents were prompted on their levels of readiness for notifiable data breaches, only around half had implemented (or had planned to implement by February 2018) the basic first steps in cyber security.   

Let’s look at the typical traits of those who are confident of compliance, and those who are unsure:

Organisations less confident in meeting NDB obligations

  • Not-For-Profits constitute the largest sector
  • Generally, experience more incidents (more than 50% had an incident in 2016-2017)
  • Have cyber security capabilities but are mostly not aligned to business objectives
  • Are not necessarily smaller in revenue than those who are confident (a wide range of organisations are unprepared for NDB)
  • Spend less on IT, and spend less IT budget on IT security
  • Mostly increased their IT security spend last year
  • Had higher increases and bigger decreases in their IT security budget

Organisations completely confident in meeting NDB obligations (keeping in mind that half of this group are actually not meeting obligations*)

  • Information, media and telecommunications constitute the largest sector
  • Generally, experience less incidents (36% had an incident in 2016-2017)
  • Only 36% satisfied all key requirements to meet NDB obligations
  • 46% had not yet implemented key baseline NDB processes and controls, such as completing a privacy impact assessment or data breach response plan
  • Over 80% received threat intelligence
  • 90% had incident response plans
  • 100% performed threat and vulnerability scanning
  • Most increased their IT security spend

While it is great to see the very high levels of uptake in threat intelligence, incident response plans and threat and vulnerability scanning within the ‘confident of compliance’ group, this is mostly only occurring in mature organisations with dedicated IT security resources.

What the survey results have highlighted are that too many organisations are still unsure what needs to be done to prepare for notifiable data breach obligations. This introduces regulatory risk, where organisations run the risk of being overly-confident in their compliance.

A few proactive steps organisations should regularly undertake to be ready for NDB compliance, are:

  • Complete a data privacy impact assessment
  • Create a data breach response plan
  • Develop a process to assess risks related to personally identifiable information held by the organisation
  • Develop a process to identify the harm or potential harm caused by a breach of data held by the organisation
  • Develop a process to determine when a data breach notification needs to made

If your business is regulated under the Privacy Act 1998, then the notifiable data breaches scheme applies to you, and you will be required to report if you experience an actual or suspected breach. Are you sure your business is ready? 

For assistance with the any of the steps listed above, and to find out the rest of the essential steps to NDB preparedness, please feel free to contact me.

* Compliance with NDB obligations was determined by survey respondents completing a checklist of NDB processes and controls, created in line with government guidelines and industry best-practice.