We are just about two weeks into Australia’s first laws that require entities to notify individuals and the privacy regulator (OAIC) of certain types of data breaches. Yet, research published earlier this year by GFK show that too many businesses are unprepared for the new laws.
According to the Canon Business Readiness Index 2018 Information Security Edition, research conducted by GFK concluded that three in five businesses, or 59%, are unaware of the new data breach laws or their compliance obligations.
The Canon & GFK research report concludes that for many businesses the level of concern about suffering a security breach is too low and out of sync with the reality of the risk landscape. This is particularly the case for small businesses, with 15% stating they are not at all concerned about a security breach. The findings of the research highlight the need for businesses to put measures in place to protect, detect and respond to a data security incident as “59% of Australian organisations will have their businesses disrupted by some form of cyber-attack every month.”
It is likely that the lack of concern is driven by not only the lack of awareness about the commencement of the new laws, but also a lack of awareness around the scale of data security and privacy issues. This is alarming because for organisations that fail to notify affected individuals and the OAIC of those data breaches that are notifiable under the Notifiable Data Breaches Scheme, the penalties can be significant – up to $2.1m.
The failure for many businesses, particularly small businesses, to implement the Australian Signals Directorate Essential 8 (ASD8) information security strategies exacerbates this lack of awareness about the new laws and lack of concern about security breaches. According to the Canon & GFK research report, only 40% of businesses have implemented 6 or more of the ASD8 information security strategies. For smaller businesses this decreases to 27%, with 12% having failed to implement any of the ASD8 strategies.
ASD first published its list of 35 controls as “Strategies to Mitigate Targeted Cyber Intrusions” in 2010 based on its experience in responding to cyber security incidents. The strategies were updated in 2012 and 2014. The 2014 update expanded the ASD Top Four cyber mitigation measures to the Essential Eight, with 37 controls as mitigation strategies against a list of six threats. In 2011, the ASD found that the Top Four controls, when properly implemented, effectively mitigates 85% of targeted cyber-attacks.
The Cannon & GFK research findings also highlight that many businesses, and in particular small businesses, were unaware of the importance that people and processes play in the overall Information Security Management Strategy, with people and processes consistently identified as the least important risk to information security. The report concludes that across the board, businesses reported that technology is the biggest vulnerability when it comes to information security.
While technical safeguards are important, employees are often an organisation’s first line of defence to prevent a data security or cyber incident. For this reason, it is essential when preparing for the NDB Scheme, to ensure that people and processes form a critical component of the overall data and information security strategy. After all, an organisation’s data and information security strategy is only as strong as its weakest link – which is often the people in the business
All this is concerning, particularly because the reality is no longer a matter of what an organisation will do ‘if’ it suffers from a data security incident – but what it will do ‘when’ it suffers from a data security incident. Developing, implementing and regularly testing your NDB Response Plan will go a long way in ensuring compliance with the NDB Scheme. The NDB Response Plan is a critical tool outlining the 4 key processes – protect, detect, respond and recover – to manage a data breach, mitigate the risks associated with a data breach, and ultimately ensure compliance with the NDB Scheme.
DGA members can contact us for a handy NDB Response Plan template.
The Notifiable Data Breaches Scheme
The Privacy Amendment (Notifiable Data Breaches) Act 2017 commenced on 22 February 2018, and introduced a Notifiable Data Breaches Scheme – or NDB Scheme for short. The NDB Scheme imposes obligations on entities covered by the Privacy Act and APP’s to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when it is aware of, or have reasonable grounds to suspect, an eligible data breach has occurred. An eligible data breach refers to a data breach that is likely to result in serious harm to any of the individuals whose personal information was subject to the breach.
Importantly, the NDB Scheme does not only apply to wilful, intentional or malicious acts of hackers, but to any situation that likely results in serious harm to individuals following the unauthorised access or disclosure of data, including loss of data where that loss raises a likely risk of unauthorised access or disclosure.
DGA members can contact us for more resources explaining the NDB Scheme.