Notifiable Data Breach Legislation
The countdown is on for the Notifiable Data Breach Legislation. Are you ready?
It’s coming… The clock is ticking. Australia’s new Notifiable Data Breach Legislation is going into effect 22 February 2018.
The new law brings Australia in line with the rest of the world. It introduces new reporting obligations for the government and organisations with a turnover of more than $3 million a year, including government agencies and organisations governed by the Privacy Act. And it will help individuals whose personal information is involved in a data breach that is likely to result in serious harm – so they’ll be properly informed of what has happened.
Why was the legislation introduced?
The objective of the Notifiable Data Breach Legislation is to build community confidence in the handling of personal information – achieved by strengthening the protection of personal information. Previously, large organisations were not legally obliged to notify customers following a data breach. They were able to ‘sweep it under the carpet’. Not anymore. Organisations now have a legal obligation to report a data breach under certain conditions outlined in changes to the Privacy Act.
The Office of the Australian Information Commissioner (OAIC) has produced several guides including Data breach notification — A guide to handling personal information security breaches and a Guide to developing a data breach response plan that provides insight into what to do when a data breach occurs. But is this enough?
Should your organisation know what to do in the event of a breach, or should your organisation put measures in place to prevent a data breach occurring?
We believe organisations must take a more proactive approach. They must ensure they’re aware of any personally identifiable data stored in their organisation and ensure their end-to-end payment systems are secure and PCI DSS compliant.
How is a data breach defined by the new legislation?
A data breach is defined as any unauthorised access, unauthorised disclosure or loss of personal data. A breach is considered ‘eligible’ if it is likely to cause serious harm to any individual whose personal data has been compromised and if the remedial action is taken has not been able to prevent the risk of serious harm.
Once a data breach has been identified, the organisation has an assessment period of a maximum of 30 days to investigate the breach and determine if it constitutes an eligible breach. During this period, the assessment must be initiated, and the breach then investigated and evaluated to determine whether it is eligible. If it is eligible, then it must be reported to the Office of the Australian Information Commissioner and the affected customers.
What type of personal information is involved?
Some personal information is more likely than others to cause serious harm. This type of information is commonly called ‘personally identifiable information’ or PII data. This type of information can help to distinguish one individual from another and can contain information such as:
- Payment information such as credit card or bank account details (for direct debits)
- Health information such as medical records
- Information on any documents that can be used for identity fraud such as Medicare numbers, driver’s licences or passports.
Any information that someone could obtain easily from social media sites or through public records is not considered sensitive.
First things first – find any unsecured personally identifiable information on your IT system
A critical first step in preparing for the legislation is to identify any unsecured PII data currently on your IT system. Unsecured PII data is the primary target of cybercriminals. In fact, there are over 110 different types of personal data that can be used to identify, contact or locate a single person.
This information can be located in a variety of locations including email servers, database servers, operating systems and cloud systems. The challenge is to find it before any cybercriminals do.
IPSI’s Data Discovery Platform will find, remediate and secure unprotected PII data across your entire IT system. It also helps to make security a business-as-usual practice by continually scanning your IT system for unsecured data and providing detailed reports updating your security status. Any unsecured data will be identified in real time with notifications to alert you that your security is being compromised. (insert Fact sheet call to action here)
Evidence of remediation is critical – and can prevent the need for notification
It goes without saying that notification should be avoided at all costs. It can have a major impact on consumer confidence, attract negative media interest and damage your brand reputation.
Evidence of successful remediation following a data breach can stop any need for notification if there is no longer a threat of serious harm from the breach. For example, if personal information is lost following a breach, notification is not required if the remediation prevents unauthorised access or disclosure of the lost information.
But the question remains: How ready is your organisation to remediate following a data breach?
For most organisations, unfortunately, the answer is not ready at all. Once again, a proactive approach is required to be able to remediate following a breach. This includes having the required tools and data breach response plan ready for activation when required.
Lock down your end-to-end payment systems and ensure PCI DSS compliance
Credit card and personal payment information remain a primary target for cybercriminals. In 2016, $534 million dollars was lost in Australia due to credit card fraud. It’s expected to be even higher in 2017 when updated figures are released.
The fact is that credit card and payment data are collected via your payments system. It is the front door by which credit card data can potentially enter your organisation. PCI DSS compliance will ensure your organisation does not collect and store payment data – ensuring that hackers have nothing to find in the event of a data breach.
The challenge with any payment system is balancing security needs with customer expectations. While customers require (and expect) multiple methods of payment, this can present challenges if payments systems aren’t integrated with seamless data exchange, branding and workflows.
IPSI’s Enterprise Payment Solutions are scalable, feature rich and above all, PCI DSS compliant. They balance the needs of customers by managing multiple customer touchpoints, and ensuring payment information does not enter your IT system – ensuring if a hacker gains access to your IT system, there is no credit card or personal payment data to find.
The deadline is approaching. What should I do NOW?
With the Notifiable Data Breach Legislation coming into effect on 22 February 2018, we’ve prepared a quick fact sheet that outlines a list of key items to prioritise before the laws come into effect.