Industry Trends

FAQ: Australian Notifiable Data Breaches Scheme

By Tracey Robert | March 29, 2018

As of February 22, 2018, the Federal NDB (Notifiable Data Breaches) scheme came into effect, and applies to all businesses operating in Australia.

The team of Cybersecurity experts at Fortinet in Australia held a live Webinar providing the general public with more information about this new regulation, which is available to watch here.

For your easy reference, here is a short list of questions asked by attendees that Fortinet experts have been answered in order to give you more insight into the new NDB scheme.

What is the NDB Scheme?

The NDB scheme introduces the compulsory requirement for all businesses to publically notify each individual, via official documentation, whose personal information is involved in a data breach that is likely to cause serious harm. They must also notify the Australian Information Commissioner. These notifications have to make people aware of the breach, and include recommendations as to what every person should do in response.

What are the potential costs to my business?

Costs can vary widely, but reporting events like this could be a costly exercise in more ways than one for your business, so prevention is better than the cure. It’s better for your business to be adequately prepared with the right cybersecurity in the first place.

The biggest challenge for smaller businesses is even knowing when there has been a breach in the first place. What strategies can SMBs put in place to help with detection and identification?

There are many paths or means by which a hacker can gain access to a computer or network server in order to cause a malicious outcome such as a data breach (known as a ‘threat vector’). There are simple, cheap and effective solutions that SMBs can employ to reduce the risk of a data breach, such as proper segmentation and access control. But this isn’t a one-size-fits-all problem. All organisations have to start by assessing the level of risk associated with each possible vector that affects them. Once this information has been collected, you need to formulate an understanding of what is an acceptable risk and what isn’t. Finally, you will need to prioritise your budget and strategy accordingly.

In terms of how to know if your SMB has experienced a breach, you can implement a system such as a Security Information and Event Management (SIEM) tool to correlate events and provide an alert when suspicious behaviours occur. However, this can be costly for a SMB to do all in-house; so instead, you may wish to look at an external service provider to be your partner in this. There are a number of great organizations already in the market providing cost-effective Security Monitoring services.

Over the years, we have seen businesses get notified by an external source, such as threat researchers and white hats, of breaches such as information leakage, and then ignore their warnings. When you are contacted by an external organisation, don't brush them off – investigate their claims.

Remember, this new NDS law is designed to encourage businesses to be more responsive and responsible when they learn of a breach. It’s not to force organizations to deploy better systems and processes to detect a breach, though for some organizations that may an approach that is necessary.

When you use a print service (say to print directly from your mobile phone) to print to a local printer, the data goes via the cloud to your printer. Could this put your data security at risk?

Use of cloud services could absolutely put your data at risk of interception. You need to understand how the services work, such as where the file is stored and buffered, how long is it retained, and who has access to it. Also, what are the Cloud provider’s T&Cs about security and confidentiality of data? Then, weigh all of this against your risk profile assessment in order to decide which, if any, cloud services are best for your organisation.

Considering most employers record Tax File Numbers (TFN), under the NDS, doesn't that imply most of them would already have to report if their data was breached?

The OAIC mentions this directly in this reference site.

In short, if a business only falls under the Privacy Act because of the TFN data it receives, the business would only need to make an official notification if the data breach directly involved TFN information.

If you are on the cusp of $3 Million in annual revenue, say normally $2.6 Million, but you unexpectedly have a particularly good year, do you only have to report under the NDS if your revenue for that year is over $3M?

At the end of the day, all of this depends in how your business falls under the criteria outlined in the Privacy Act of 1988. I would suggest seeking legal counsel if you see the potential for something like this to occur.                                                                                                                       

Is there a link between data breaches and the Public Cloud?

Definitely. Many businesses are adopting ‘cloud first’ strategies, and this number has significantly increased in recent years. Unfortunately, the majority don’t realise that certain security responsibilities still rest with them and not with cloud providers themselves.

In the past, if you were to deploy a system and misconfigure it, the risk was relatively low because it occurred within a localised environment. However, with the cloud today, if you misconfigure a system it has the potential to expose your data to the rest of the world. Many data breaches over the past 24 months provide great examples of this, such as MongoDB’s database or Amazon S3 buckets’ storage, where something as simple as default passwords were not changed, leading to a security risk.

The NDS says: ‘30 calendar days to complete assessment’. What does this mean?

An entity must "complete the assessment within 30 calendar days after the day the entity became aware" of a suspected eligible data breach, then notify as "soon as practicable" to both the affected individuals and the OAIC (Office of the Australian Information Commissioner).

Is there more clarification around what causes "Serious Harm" when it comes to the NDS?

This can be very subjective and depends on the type of data that has been lost. The current definition is very vague and ambiguous, and likely to leave the OAIC plenty of leeway to prosecute. After the first handful or so of penalties, the industry may have a better understanding of what is really deemed "serious harm", but we always suggest that you err on the side of caution, and seek legal counsel if you are the subject of a data breach.

When the NDS says: "30 calendar days to complete assessment", what is the definition of “assessment”? Who do we need to contact?

Both the individuals whose data was lost, and the OAIC.

The assessment period is for organisations to investigate a "suspected data breach" to determine if it is "eligible" for compliance with the NDB scheme. There is no strict definition for procedures to follow, but the OAIC suggests the following three steps:

(1) Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it.

(2) Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information, and the likely impacts.

(3) Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see “Identifying eligible data breaches” in the NDS scheme resources.) Again, legal counsel is advised.

The NDB scheme doesn’t say that is mandatory to release a public statement of a Data Breach. Do you recommend publishing a statement even if the organisation contacts the affected people individually? Perhaps with a different approach, such as a website statement with a timeline, or a press release with a more general description and recommendations?

Businesses have many options defined by the OAIC. You can review them here.

The first recommendation (in addition to notifying the OAIC) is to notify the individuals at risk (all individuals potentially involved if you cannot determine exactly who has been impacted).

If it's not practical, then the entity "must publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm."

As you can see, the OAIC only provides a minimum requirement of the notification; however, if your business chooses to go beyond this, it will help demonstrate to your customers and industry peers your organization’s values and dedication to customer data protection.

What is stopping multi-nationals from moving data to countries with no or poor NDB schemes to avoid responsibility?

NDB scheme doesn't distinguish where data is stored. If the business trading in Australia falls under the Australian Privacy Act, then the Australian Privacy Principles (APP) apply.

My understanding is that the State Governments are not governed by the NDB. These government agencies retain a large amount of personal information. What can be done to ensure that the data held by these entities is protected?

Correct, they aren’t within the NDB’s jurisdiction, and they do hold a lot of data. At this stage, however, it’s not clear what will be proposed for State Governments and other related businesses and institutions (such as Universities) that don't have to comply with it. Hopefully, however, they will still behave responsibly by disclosing such incidents.

Is the “30 calendar day” period begin from the date of the data breach or the date when the organisation realises there has been a breach? If it is the latter, what will stop these organisations from first preparing the plan and then disclosing a breach, in order to appear to have a speedy remediation plan?

30 days is from the day after a suspected eligible data breach is discovered. There is technically nothing to stop them. However, as we have seen with previous incidents, those secrets seem to always come out.

As a user of Fortinet solutions, the gap that I find for supporting the NDB is in identifying what (if any) sensitive data was infiltrated. Does Fortinet now have a method for labelling sensitive data? Or for checking the classification of data as it’s leaving the network (using the deep SSL inspection)?

There are many different methods available on Fortinet security products today depending on the threat vector you are looking to protect against. FortiGates, for example, have a DLP feature that can be enabled (along with SSL deep inspection) to block files with contents that match certain regex expressions. DLP fingerprinting is also possible. Similarly with FortiMail, DLP is also available to scan email messages.

Does a company only get fined the $1.8 Million penalty if they don’t notify the affected parties, and contact the Commissioner?

Yes, up to this amount, along with any other sanctions the OAIC wishes to impose.

We trust that you found these answers useful in helping you better understand the NDS Scheme and any obligations that may apply to your organization.

How does my business prepare for this?

All businesses hold personal data of some fashion on their networks, and if your business was to suffer from a cyberattack, you are required to notify your entire database of customers. This would be a PR nightmare at the very least.

For more information on how to be compliant, read of our whitepaper Preparing for mandatory data breach notification.