NDB Scheme, GDPR, So what?
The 22nd of February (NDB) and 25th of May (GDPR) have come and gone, and it is still business as usual... or is it?
Where are we with the NDB Scheme?
As you may have read in our blog post in February "Notifiable Data Breach - De-mystified" there were a number of requirements set out by the OAIC, which would take effect from the 22nd of February 2018.
Blog Post: NDB Scheme De-mystified
Notified data breaches are on the rise.
242 notifications were received in the 2nd quarter alone.
Majority of data breaches involved between
1 and 5000 affected individuals, per breach.
Malicious attacks are mostly responsible for breaches.
Stolen credentials, brute-force attacks, and phishing campaigns were the predominant attack vectors.
One of the more public breaches from this quarter in Australia was the PageUP data breach. Bank details, TFNs and personal details of job applicants were compromised. PageUP has a long list of major Australian customers. Due to the NDB scheme, PageUP had to notify its customers, who in turn had to notify their potential applicants, of the breach. Aside from the massive reputational disaster that has ensued, PageUP has faced customer losses, including Australia Post and Medibank and is facing lawsuits, not to mention fines, none of which would have been public if it wasn't for the NDB scheme. Subsequently, PageUP had to notify the Privacy and Electronic Commission in the UK, due to GDPR regulations.
The GDPR legislation takes all of the NDB Scheme requirements and increases the stakes.
The GDPR is the European Union's General Data Protection Regulation. It affects all companies that process personal data of individuals in the EU regardless of where the company is located. Where this really affects Australian business, is that:
Any Australian business with an office in the EU must comply with GDPR.
Any Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language or enabling payment in Euros must comply with GDPR.
Any Australian business whose website mentions customers or users in the EU must comply with GDPR.
Any Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes must comply with GDPR.
The grey area for Australian businesses is whether any European customers residing in Australia are considered to be part of the EU. Do businesses with European citizens as customers have to comply with the GDPR? Australia is known for being multicultural and supporting dual citizenship. Many of our dual citizens are European.
Even though the European regulators are not currently pursuing this as a legitimate avenue of non-compliance should there be a breach, there is nothing in the regulation to suggest that this is not a non-compliance infraction.
From a technical data breach perspective though, the GDPR and NDB are very similar in their requirements found within Article 32 (See our blog).
GDPR additionally requires that:
All notification and consent language is to be revised so that an individual knows exactly what they are getting into, and the regulation is pretty prescriptive that if the data is considered personal and sensitive, the notification must be explicit and in plain sight.
Everyone has certain rights regarding their personal privacy (Article 12-23) importantly;
The right to be informed, which promotes
clearand plain language.
The right to rectification, promoting correction of inaccurate data.
The right to erasure, promoting cease and desist of data keeping if the individual requests it.
The right to portability, even to a competitor, allowing an individual to be forgotten by that company, or easily move to another provider, among other rights.
An incident response plan needs to be in place to identify the type of data breached, to determine different response teams and their duties during an active breach and what the internal and external escalation processes are.
Should there be a breach, companies need to advise the affected persons 72 hours after the breach.
And Failure to comply?
Fines, massive fines.
There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater.
A little example made of a big name:
It was one of the largest cyber attacks of 2017 (that we know of so far). The personal information of 143 million consumers was compromised and an additional 209,000 also had their credit card data exposed when a breach was discovered in July 2017. The company would've failed to meet the 72-hour notification requirement of the GDPR when they made the breach public in September 2017. They did launch a website so consumers could check if their data had been compromised and offered credit monitoring for all U.S. consumers, so they may have received high marks for their co-operation and action post-breach; however, they would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016. Had the GDPR been upheld in this example, the fine would have roughly come to $124,000,000. That is a lot of zeros, even for a monolith like Equifax.
We should start seeing breach statistics coming out of Europe soon enough...