Notifiable Data Breach: Is Your Business Prepared?

Nathan |

On 22nd Feb 2018, new privacy laws came into effect in Australia, known as the Notifiable Data Breaches (NDB) scheme. An amendment to the Privacy Act 1988, the scheme regulated the reporting and notification of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and to the impacted individuals. 

Despite this scheme now being in effect for almost two years, many organisations still don’t understand their requirements in this space, particularly the plans they need to ensure are in place so they can respond quickly when one does occur.

That’s why at The IT Department we help clients better understand their obligations. Keep reading to learn what is considered a notifiable data breach, and how you can ensure your business remains compliant.

 

What is a notifiable data breach?

Put simply, a data breach occurs when personal information is accessed or disclosed without authorisation or is lost. It’s considered notifiable when the breach is likely to result in serious harm. Examples of serious harm include:

  • Identify theft
  • Financial loss through fraud
  • A likely risk of physical harm, such as by an abusive ex-partner
  • Serious psychological harm
  • Serious harm to an individual’s reputation

If the Privacy Act 1988 covers your business, you must notify affected individuals and the OAIC. Generally speaking, businesses have 30 days to assess whether a breach is likely to result in serious harm. They must also try to reduce the chance that an individual experiences harm. If successful, they will still need to inform the OAIC, but will no longer be required to advise the individual.

Defending against data breaches

Between April and June this year, the OAIC received 245 data breach notifications. The personal information most affected was contact information, with a total of 90 breaches. Financial information was the next target, with 98 NDBs, followed by identity information at 31.

Out of those breaches at the start of the year, 62% were labelled as malicious attacks. These included phishing, malware and ransomware, brute-force attacks, and compromised or stolen credentials.1

The best way to avoid notifiable data breaches is to ensure your cyber security is up-to-scratch. But it’s more than having a stock-standard firewall and anti-virus software. For businesses regularly dealing with personal information, it’s recommended having a trusted Managed IT support provider that can monitor your network around-the-clock and keep your security updated with the latest protection.

Does your business have a response plan?

Even with the best security in place, there is still a likelihood that a data breach may occur. This could be a result of a particularly crafty cyber criminal, or simply human error from one of your employees. That’s why it’s crucial you have a response plan in place should your business be affected. 

At the IT Department, we provide cyber security as part of our Managed IT services, and we can also help develop your NDB response plan, ensuring your IT strategy aligns with your business requirements. Keep in mind, this doesn’t affect only large organisations, but businesses making over two million in revenue, or any company that holds particular types of data, such as health information.

Get in touch with the team today for a free consultation.

  1. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019/