The NDB scheme cometh: be prepared
Garth Sperring
General Manager, Networks - Specialist in Wide Area Network and Security Design
The consequences of a serious cyber-attack could be enormous to your company. Business interruption, stolen data and the costs of recovery and remediation: all could be a considerable burden. Now there’s an extra layer of complexity. The Notifiable Data Breaches (NDB) scheme comes into effect on 22 February 2018, and will legislate that companies need to inform and advise customers if their personal data has been breached.
A necessary measure
The amendment to the Privacy Act to include provisions for Notifiable Data Breaches, with an enforcement date of 22 February 2018, is an important development for data security.
After this date, if a data breach including unauthorised access to, unauthorised disclosure of, or loss of personal information, is likely to result in serious harm to individuals to which the data relates, then customers need to be informed and advised on how to minimise damage from the misuse or leak of their personal information.
The proposed legislation is useful for both consumers and companies because it:
- Recognises the importance of personal information and data.
- Encourages personal data to be protected, as well as respected.
- Creates more transparency and gives consumers confidence.
The government also suggests that the NDB legislation provides companies an incentive to ensure they have a security framework in place and that the controls implemented are sufficient and are working, in other words, that they are cyber-resilient.
The consequences of non-compliance
Historically, some large companies did not publicly report data breaches. There are strong justifications not to do so in commercial terms.
A company’s reputation, stock price and sales can all be adversely affected if they are found to have poor security that results in breach, and the subsequent additional costs of crisis management and public relations. A data breach can affect the confidence that customers place in a company; it may be the prompt for customers to evaluate alternative services from a competitor. A worst-case scenario is if your customer sues for damages for breaches of privacy or defamation.
Now, not reporting will no longer be an option.
Under the new legislation, if an organisation does not notify customers of data breaches, the organisation may be required to:
- Issue a public apology
- Pay compensation
- Have their customers notified by the Privacy Commissioner
If the situation is serious or repeated, an organisation could be fined up to $1.8 million.
Prevention better than a cure
Now is the perfect time to review your security practices and frameworks to make sure that the controls that you implement are sufficient. Preventing cyber-attacks resulting in data breaches will clearly be much more desirable than having to deal with the fallout.
Some of the ways to ensure that you’re cyber-resilient and prepared for the NDB include:
- Make sure a security framework is in place that addresses people, process and technology aspects.
- Identify the location and risks to your customer’s private data so that effective controls can be implemented to protect its confidentiality, availability and integrity.
- Adopt continuous, defence in-depth solutions that provide layered threat intelligence with the ability to block threats across different vectors.
- Improve the visibility of your network traffic and user behaviours.
- Ensure that you have 24/7 management and monitoring of your networks to enable a rapid response to cyber-threats and attacks.
- Investigate managed security solutions that provide access to skilled resources and implement best practices and proven approaches.
Or contact us directly to continue the conversation.