If you’re in the business of handling personal data of any kind, today marks the start of new regulations that’ll change the way you do business. The new Notifiable Data Breaches (NDB) scheme comes in to force. From today onwards, when any personal information is touched by any data security breach event, every individual involved has to be informed.
The scheme could be a game-changer.
No longer can major businesses who hold personal information manage breaches on their own need-to-know bases. Some commentators are thinking payment processor scandals, fintech stocks going all over the shop, and worse. But we’re hoping it’ll prove to be a bit more like the Y2K of PR divisions for financial services organisations. And there’s one thing you can do – something that’s easier than ever – to prevent you ever having to make a notification.
What is the scheme?
In case you haven’t read up, here’s a quick primer. The Notifiable Data Breaches scheme is a new reporting obligation that applies to all agencies and organisations that are covered by the Privacy Act. In other words, all businesses and non-profits with annual turnover of more than $3 million. And businesses with turnover under $3 million including (but not limited to) health service providers, credit reporting bodies, and employee associations. Oh yeah, and every agency of (and contractor for) the Australian Government.
To sum it up, every time an organisation suffers a security breach, they have to look at:
- What data was involved: notifiable personal data includes financial details, and ID info
- Whose personal information was a part of that data set
- Whether the data breach is likely to result in serious harm
Once they’ve worked that out, they’ve got to:
- Tell the Office of the Australian Information Commissioner
- Tell the people involved
- Assist them / make recommendations for preventative action
The reasons and procedures are legislated in the Privacy Amendment (Notifiable Data Breaches) Act 2017, which now forms part of the main Privacy Act[i].
What’s the no. 1 thing you can do to avoid a notifiable breach?
Most data breaches don’t involve hackers forcing their way in to ‘secure’ servers. Rather, it’s about simple human error. That includes anything from writing down passwords to accidentally leaving company laptops and devices in public places. A report from the Ponemon Institute sponsored by IBM Security suggested that around a quarter to a third of data breaches are caused by human error[ii]. The global average cost to the organisation per data record breached this way is USD$125.80. That means costs for things like legal action, compensation, and fixing the source of the breach. And the cost can be much higher for certain industries.
According to one major cyber risk insurer in the US and UK, around three quarters of companies are planning to make “address(ing) factors tied to human error or actions” their top priority in the next few years[iii]. And they’re going to do it by implementing “comprehensive training programme(s) on cyber risks for employees (and) nonemployees (e.g. contract workers)”.
If you haven’t already, now’s the time to get cracking on your information security education approach. And it’s much easier than you might be expecting. For less than the cost of the loss of a single record, you can get an employee or contractor switched on about cyber security and ready to protect your notifiable data.
How Money101 can help
Money101 delivers engaging digital training that’s all online, quick to roll out, and easy for employees to access any time. Our flagship title on data security is Introduction to Information Security. It’s a comprehensive yet accessible short module. Subtopics covered include device security, password basics, social engineering, and more.