Understanding the Australian Notifiable Data Breach SchemeHow Fortinet addresses key data protection requirements of NDB
Australian Privacy Amendment (Notifiable Data Breaches) Act 2017
Fortinet is a cyber-security company for SME to Enterprise sized businesses.
Here we take a look at the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 so that you can understand what is required of businesses to be in compliance with the legislation and the potential pitfalls and issues associated with becoming compliant.
The legislation is in effect as of 22nd February 2018. Find out how Fortinet can help get you ready for both this and the European Union’s General Data Protection Regulation (GDPR) now in effect in May 2018 in a cost-effective way.
Guidance on the NDB and its implementation
In February 2018, Australia’s NDB Bill will go into effect. It requires Australian businesses with turnover of $3 million and over to comply with new data breach notification standards or face stiff fines.Get the White Paper
Getting the Board On-Board with Data Breach Notification
Here are answers some of the most common questions and issues and bring business decision makers onside with your cybersecurity strategy.Lea el resumen de la solución
Data Security under NDB
In developing data protection policies, organisations need to keep these three key points in mind: - Intrusions are inevitable - Security architecture may require advanced protection - State of the art security is keyLee ahora
With the passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, Australian companies have more reason than ever before to take cybersecurity seriously. IT leaders can expect questions and concerns from business leaders about what the new laws mean for their organisation. Talk to a security expert to learn more, but here are answers to some of the most common ones to bring your business decision-makers in-line with your cybersecurity strategy.
Who does the new Data Notification Law affect?
Australia’s Data Notification Law goes into effect February 22, 2018. It will apply to businesses governed under the Privacy Act 1988 – including any with annual turnovers of $3 million, or businesses that collect and store sensitive user information like payment or personal data. If a data breach will likely result in “serious harm” to individuals, whether reputation, finances, or even safety, you’ll be required to notify the relevant parties. Remind your board that failure to do so can be costly, earning fines of up to $1.8 million!
What is the potential impact?
It is important to recognise data breaches are not an “if” scenario, but a “when.” One in four organisations with top cybersecurity defences still experience data breaches, according to the Ponemon Institute. For those who might play down the costs of a breach, inform them that 90% of a cyber-attack’s bottom-line impact is felt up to two years after an attack. The new data breach laws add hefty fines and heightened public scrutiny to many other consequences of a breach: loss of sales and contracts, compromised IP, and legal action. If necessary, remind your business leaders that customers and shareholders will hold them responsible for non-compliance with these laws.
How can we reduce the likelihood of a breach?
Monitor your networks. It takes an average of six months to discover a data breach, according to the 2017 Ponemon Institute study. It’s critical to have a robust monitoring system not only to help you and your team identify and stop threats more consistently, but also to make compliance with data breach notification laws much simpler. The more visibility you have into your data and networks, the easier it is to give details to regulators and the public if a breach occurs.
Frequently Asked Questions:
The Federal Government of Australia passed the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced the Notifiable Data Breaches (NDB) scheme.
The NDB came into effect in February 2018, and applies to all agencies and organisations that collect and hold people's personal information and are subject to obligations under the Australian Privacy Act 1988.
Should a data breach occur, the NDB requires that all individuals must be notified if their personal information has been put at risk which could result in serious harm. This compulsory notification must also include a recommended course of action that the individuals should follow in response to minimise their risk. The Australian Information Commissioner must also be notified.
The NDB was established to protect individuals and improve the overall standard of personal information security by enforcing a greater responsibility on business' data collection practises and privacy policies.
As data collection is a common business practise today, it applies to a significant majority of organisations across Australia.
Each business must regularly review their practices, procedures and systems for securing personal information to ensure that they meet the requirements of the Notifiable Data Breaches scheme.
A data breach occurs when personal information that is held by an organisation is lost, stolen or exposed to unauthorised access or disclosure.
An 'eligible data breach', which triggers NDB notification obligations, is a data breach that places the individuals to whom the information relates to at risk of serious harm.
- a device or physical record containing customers' personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to human error
- disclosure of an individual's personal information to a scammer due to inadequate identity verification procedures
Upper management is expected to be responsible and highly involved in this process.
If an organisation was to experience a breach, the obligations under the NDB require that an assessment is completed to judge the severity, and then appropriate action is taken.
In the event of an eligible breach, not only does an organisation have to take steps to mitigate the damage, the resulting notification process requires additional resources to craft the warning and potential remedies, then send it out to everyone who has been put at risk.
If an organisation is caught unaware, the result could be disastrous, which is why it's expected that management has already implemented practises, procedures and systems in place and ready.
This also has negative implications from a Public Relations perspective too, as having to notify a database of current and potential customers who they have been put at risk can cause significant damage to the organisation's reputation.
As soon as an organisation suspects a serious breach, it has 30 calendar days to conduct an assessment to verify its significance. As soon as it is deemed eligible under the NDB scheme, it must promptly send out notifications to all individuals and the Commissioner, as required.
If an organisation is found to have hidden an eligible data breach or failed to report it as required by the NDB, then the penalty regime under the Privacy Act applies.
This includes fines of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches.
When an organisation believes that an eligible data breach has occurred, The Australian Information Commissioner must also be notified as soon as practicable (in addition to the individuals affected).
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response
A report can be made online via the official OAIC's Notifiable Dad Breach Form, available here which includes all the necessary information required.