Navigating Notifiable Data Breaches (NBD): Protecting Your Business

Jan 23, 2020
Cyber Security

On 22 Feb 2018, new privacy laws, known as the Notifiable Data Breach (NDB) scheme, came into effect in Australia. Designed to create more transparency and protect the rights and security of individuals, the scheme regulates the reporting and notification of eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and the impacted individuals.

Despite the scheme being in place for nearly two years, many Australian businesses still don’t understand how to meet the requirements for the amendment to the Privacy Act. 

Not only does your business need to be aware of what constitutes a notifiable data breach, but it should also have a suitable response plan that can be quickly implemented should a data breach occur.

As thousands of businesses across Australia know, we take security seriously. Not only are we committed to protecting our data, but we also offer cyber security services to protect other businesses’ data. Keep reading to learn more about notifiable data breaches and how you can ensure your business remains compliant.

What is a data breach?  

A data breach is a security incident where private information is accessed without authorisation. Not only is it costly, but it can also hurt businesses and consumers in several ways. Depending on the type of information breached, lives and reputations can be damaged, taking significant time (and money) to repair.

Some of the ways a data breach can occur include:

  • Phishing attacks
  • Man-in-the-middle (MitM) attacks
  • Drive-by attacks
  • Malware or viruses
  • Human error
  • Employee theft

As businesses continue to rely upon technology and the cloud for data storage, we’ll likely see more breaches occur as time goes by. Only last year, the OAIC received 245 notifications between 1 April and 30 June 2019 – and that’s just the ‘notifiable’ ones.1

When is it considered a ‘notifiable data breach’?

A data breach is considered notifiable when it’s likely to result in serious harm. Examples of serious harm include the following:

  • Identify Theft
  • Financial loss through fraud
  • A likely risk of physical harm, such as from an abusive ex-partner
  • Serious psychological harm
  • Serious harm to an individual’s reputation

If your business is covered by the Privacy Act 19884  and it experiences a data breach that is likely to result in serious harm, you must notify affected individuals and the OAIC. Businesses have 30 days to assess whether a breach will likely result in serious harm. In that timeframe, they must also try to reduce the chance that an individual experiences harm. If the business can successfully limit harm, they’ll still need to inform the OAIC, but may no longer need to advise the individual (depending on the type of breach).

An example of a data breach that resulted in serious harm was in 2015, prior to the NDB scheme being in place, when Telstra partner Sensis published hundreds of silent numbers on its online version of the White Pages.2 While Telstra and Sensis both investigated alongside the Privacy Commissioner, if this were to happen under the new scheme, they would have been required to report it within 30 days to the OAIC and the impacted individuals. They may also have been required to cover relocation costs for the impacted individuals to help avoid serious harm. 

Of course, this type of data breach is an example of human error; according to the OAIC, 34% of NDBs between April and June last year were a result of human error. More concerning, however, was that 62% were attributed to malicious or criminal attacks.1

Protecting your business from cyber attack

Globally, the average cost of a data breach to a company is $3.86 million3 – which means it’s certainly not something to take lightly. While processes to minimise human error can be implemented, a bigger investment needs to be made to protect your business from malicious activity.

Many companies now see the benefits of outsourcing their cyber security needs to a Managed Services Provider (MSP). By working with an MSP, not only do you have access to a team of specialists – often for less than the price of hiring just one internal IT technician. You also have 24/7 support and access to the latest technology, ensuring your network and data are as secure as possible from cyber attacks.

At Spirit, we're dedicated to fortifying your cyber defences with tailored solutions for your business. Our approach includes the management of firewalls, Microsoft 365 backup & disaster recovery solutions, and endpoint protection to name a few, all crafted to meet the specific needs of your operations. We guarantee vigilant and continuous protection, ensuring your business is safeguarded around the clock from potential cyber threats.

Having a response plan for notifiable data breach

Even with the best cyber security in place, it’s important to note that there is still potential for a data breach to occur. Technology is advancing rapidly – and cyber criminals are only getting smarter. That’s why the amendment to the Privacy Act also requires businesses to have a documented response plan should they be impacted by a notifiable data breach.

A data breach response plan enables your business to respond quickly, substantially decreasing the impact of a breach on affected individuals. A quick response will also reduce the costs associated with dealing with a breach, and can reduce the potential reputational damage that can result.

The OAIC recommends that your response plan be documented in writing to ensure everyone at your organisation understands what must happen during a data breach. It should cover the following information:

  • A clear explanation of what constitutes a data breach.
  • Potential strategies for containing and remediating the breach.
  • Any legislative or contractual requirements, such as the requirements of the NDB scheme.
  • When and how affected individuals will be notified.
  • Criteria for determining which external stakeholders should be contacted (e.g. law enforcement, the media, regulators such as the OAIC, etc.).
  • The roles and responsibilities of staff.
  • The circumstances in which a senior manager can handle a data breach and when it must be escalated to a response team.
  • How your business will record data breach incidents, including those not escalated to a response team.
  • Review the data breach, including how it occurred, the success of your response, and how you can improve.

To comply with the NDB scheme, you must ensure your business can implement its response plan as a priority should a data breach occur.

Responding to – and defending against – data breaches with Spirit

The OAIC emphasises the importance of having a dedicated team to oversee and implement your response plan in case of a data breach. This team may involve your in-house staff, such as an IT manager or team leader, and could also engage the services of a Managed Services provider (MSP).

At Spirit, our focus is on providing comprehensive cyber security services that mitigate the risk of data breaches and guarantee compliance with the Privacy Act if such an incident occurs. Connect with our specialists today to explore how our solutions can be instrumental in safeguarding your business.

Sources

  1. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019/
  1. https://www.itnews.com.au/news/sensis-publishes-hundreds-of-silent-numbers-online-407359
  1. https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html
  1. https://www.oaic.gov.au/privacy/privacy-for-organisations/small-business/

Share this article:

Contact our experts

Whether you're just starting your journey to the cloud, looking to optimise your existing infrastructure or improve your cyber security posture, we're here to help.