Notifiable Data Breach - De-mystified
The essentials you need to know.
The Australian government's notifiable data breaches scheme is upon us...
Who needs to comply with the scheme?
If your organisation already has obligations to secure personal identifiable information (PII) under the privacy act, then you have to comply with the NDB scheme, but you probably already knew that.
If your organisation is an Australian government agency, or business or a non-profit entity with an annual turnover of more than $3 million, then you have to comply with the NDB scheme.
If your organisation is a private sector health service, a credit reporting body, a credit provider or entity that trades with any PII and TFN recipients, with an annual turnover of more than $3 million, then you have to comply with the NDB scheme.
So when is PII considered breached?
Unauthorised Access
It's considered breached, when PII that an organisation holds is accessed by someone who is not permitted to have access, including any employee of the organisation, or contractors, or unauthorised access by a 3rd party (malicious actor).
Unauthorised Disclosure
It is considered breached, when PII is made accessible or visible, intentionally or unintentionally, to others outside the organisation, and is released from its effective control, in a way that is not permitted. This includes unauthorised disclosure by an employee of the organisation.
Loss
It is considered breached when the PII is accidentally or inadvertently lost, and in circumstances that the loss is likely to result in unauthorised access or disclosure of the data.
The NDB scheme basically states that a breach is notifiable if :
- There is unauthorised access, or unauthorised disclosure, or loss of PII, and
- There is a likelihood that it will result in serious harm (more on serious harm coming up) to one or more individuals, and
- The organisation has not been able to prevent the serious harm with remedial action.
Serious Harm Defined:
Identity theft, or
Significant financial loss to an individual, or
Threats to an individual's physical safety, or
Loss of business or employment opportunities, or
Humiliation, damage to reputation or relationships, or
Workplace or social bullying or marginalisation.
If you suspect a breach, call us:
Seriously...
According to the NBD scheme, an organisation must take all reasonable steps to complete an assessment of the suspected breach within 30 calendar days (which the Commissioner regards as a maximum), preferably by an independent, certified IT risk assessment team.
The Commissioner expects that an entity's approach to the data breach assessment, minimally involves a data breach response plan, and that the assessment at minimum initiates, investigates and evaluates the breach risk.
Once the organisation is reasonably sure that there has been an eligible data breach, it must promptly notify affected individuals and the Commissioner about the breach.
The risk and breach assessments required by the NDB scheme are well within our capability.
If you would rather be proactive, call us:
Seriously...
Aside from your current core security posture, consider how your defences are in the following areas because these areas are critical to the prevention of a data breach.
Location of the PII data within your network - Do you know exactly where the PII data resides within your environment? If not, we can help you find it and class it.
Data Encryption at Rest - Data privacy being the key here. Is the structured and unstructured PII data within your environment encrypted? If not, we can help you encrypt it at rest and in motion.
Device and Application control - Control of how the PII data flows and it's movement to and from assets is critical. Do you know how to control the movement of PII data in your environment? If not, we can help you lock down any asset and application that could leak data.
Privilege access to the data - Currently your logical borders are in flux, and there are probably remote users and contractors logging in and out of your systems. Do you know who can do what, where and when? Can you audit their movements in real time and provide least privilege access to users working within PII data pools or silos? If not, we can help you control your remote user's access to privileged data.
