The countdown to Notifiable Data Breaches (NDB) is on. Time is creeping up on us before Australia’s new Privacy Amendment Act 2017 settles into place. The new legislation comes into effect from 22 February 2018, and with it new implications for businesses that don’t have their security in order.
Concerningly many businesses do not seem to be prepared; in a recent poll of over 100 Australian IT professionals, 58 per cent did not have a data protection task force in their organisation and 60 per cent hadn’t even read the NDB amendment. Just 13 per cent had an NDB strategy planned.
Not only will businesses that experience breaches be required to notify authorities, they’ll be thrust into the spotlight as they inform individuals whose data may be at risk. It could mean serious reputation damage and erode the trust of consumers.
While data breach laws are not new by any means, they are to the majority of Australian businesses. The changes will bring Australia in line with other nations around the world that have long had mandatory data breach laws. The US state of California has had data breach laws since 2003, while Europeans will see the EU General Data Protection Regulation (GDPR) come into effect in May 2018.
Importantly, NDB will affect all organisations and customers globally that have dealings with companies in Australia. Almost all significantly sized Australian businesses must comply.
What do the NDB laws include?
NDB will require any public sector organisations private sector organisations with annual turnover over $3 million and other organisations that are already required by the Privacy Act to keep information secure, such as health care providers and NGOs, to disclose a data breach that is likely to result in serious harm to any individual whom the information relates.
Serious harm can be a tricky concept to interpret in the context of data. Under the scheme, it’s subjective; serious harm will be assessed depending on the type of information, its sensitivity, its protection and who exactly got hold of it. Harm can include identity theft, financial loss or threat to physical safety; if leaked data from your organisation is used to fraudulently set up credit cards under the persons names, this could fall under multiple types of serious harm.
We’ve already seen how data breaches can impact share prices. Ultimately, NDB could cause harm to an organisation’s bottom line too if they can’t keep their data in check.
So how can businesses ensure they are best protected against data breaches and compliant with the new laws? We’ve outline four key steps below:
1.Identify where sensitive data is stored
A critical first step for all organisations is to establish a clear picture of where sensitive personal data lives and determine who has access to these systems and services and if it’s all tracked. Location includes geographic, such as in a data centre, and virtual environments like cloud. Organisations that still use physical storage, including old hard drives or servers, should be keeping tabs on what data is kept in them and its sensitivity and security.
2.Minimise data storage locations
The more places you can find data, the higher the risk of a breach. For example, you wouldn’t keep personal documentation such as birth certificates, passports or marriage certificates stored haphazardly around the house. Data should be consolidated and kept in as few locations as possible.
Reducing the number of environments and disparate systems containing sensitive data helps streamline business’ compliance efforts to keep them on the front foot of security.
3.Make the most of encryption and key management
The reality for organisations nowadays is that breaches happen; it’s not a matter of if but when. Protecting yourself for a worst-case scenario by encrypting means that when data is breached it’s useless without the key. For organisations facing NDB compliance, robustly encrypted data could help them escape the ‘serious harm’ definition within the legislation. Essentially, businesses would no longer have to disclose the breach as the effects would be negligible.
When you move house it’s ideal to change the locks; who knows how many pairs are floating around in the hands of ex-owners or renters. Managing access, be it to a house or a system, is essential to lower risks. The fewer people who have access and the more you can verify who they are, the more secure your data will be. Weak, static credentials are frequently reported as a tool used to gain access to sensitive resources or launch a full-blown data breach. Strong multi-factor authentication is key to protecting resources and eliminating vulnerability.
It’s time for businesses to get familiar with details of the NDB as there’s now less than 100 days until the legislation comes into play. It’s imperative to consult professionals who can get you on the path to compliance. Preparation now will ensure your business is in the best position when the laws come into effect, adding security not only to your data but to your reputation and bottom line.