With two sets of regulations set to affect Australian businesses in 2018, we thought it would be important to attempt to ‘lift the veil’ on how these rules will affect the Small and Medium sized businesses in Australia.
Firstly, it is important to understand that there are two, distinctly different, sets of rules that will come into play in 2018. The first is the ‘Notifiable Data Breach’ (NDB) scheme which makes the notification of data breaches mandatory for certain organisations. This will be mandatory as of 22 February 2018. The second is the ‘General Data Protection Regulations’ (GDPR) which will come into effect on 25 May 2018. This is being introduced by the European Union and it affects any Australian company who hold private data of European citizens. So if you do any business in Europe, this applies to you.
In this post, we will concentrate on the NDB scheme.
Notifiable Data Breach
Who needs to Comply?
The NDB scheme affects companies defined as ‘Australian Privacy Principle entities’, which if you dig deeper is defined by companies who handle personal information and have a turn over larger than $3 million. In addition, it incorporates all health care providers and any company handling consumer credit information as well as handling of any TFN’s. Personal information is loosely defined by the OAIC as “information or an opinion that identifies or could reasonably identify an individual. Some examples are name, address, telephone number, date of birth, bank account details and opinions”.
With these being the definitions of who needs to comply, you can see that the laws are applicable to many SMB’s. If you think about the data you store for your staff, let alone for your clients, many Australian companies would be seen as storing ‘Personal Data’
What are my obligations?
Your main obligations under the NDB Scheme and the Australian Privacy Principles are to:
- Keep your clients data private to the best of your capabilities
- Notify the OAIC and affected clients / personnelof any data breaches that could possibly cause them ‘harm’ in the form of prejudice, financial loss etc. within 30 days of the breach
While these rules make complete sense and, as an individual who has personal information stored with companies in Australia, I am very happy to hear that they need to tell me if my details were exposed, the unfortunate reality for SMB’s is that most SMB’s don’t have the tools in place that will even let them know if there has been a data breach.
What penalties can the OAIC enforce if I’m not compliant?
In the event of a breach that is reported to the OAIC, the OAIC will make an assessment of the breach and what actions you have taken as a company based on:
- “the nature of your entity”
- “the amount and sensitivity of the personal information held”
- “the possible adverse consequences for an individual in the case of a breach”
- “the practical implications of implementing the secure measure, including the time and cost involved”
- whether a security measure is itself privacy invasive”
The OAIC has a range of powers from investigation to conducting a hearing and even “apply[ing] to the court for a civil penalty order” according to the OAIC.
So what actions do I need to take to make sure I comply?
Here at Integr8IT, we have a 4 step principle that are the basis for all our security measures:
Below are just a few tips for SMB’s to make sure that you are compliant. Please don’t treat this as an exhaustive list. It is meant as a guide only.
- Find the Gaps
- Do a security Audit. Find out how secure your data really is and how protected you are against the plethora of threats that exist.
- Look at performing regular Penetration and vulnurability tests
- Prevent the Threat
- Using Xero or Office 365? Look into using Multi-factor Authentication?
- Storing sensitive data on your servers? Are they being Encrypted?
- Do you remove private data once it is not required anymore? If not, this could be an unnecessary security risk
- Are you Firewalls doing their job correctly? Do you have Universal Threat management enabled?
- How Physically secure is your data? Can someone access your server infrastructure without authorisation?
- Are your staff members Trained up on best practices with regard to security
- What is your Patch management plan?
- What Anti Virus are you using and does it secure you against the more modern attacks?
- Monitor for Threats
- Make sure you have the right monitoring and alerting tools for your environment
- Manage the incidents
- Produce an Incident management plan which details how to communicate breaches to the OAIC and affected clients.
- If there is a data breach, look into how you can prevent it in future
Please note that this post is meant as a guide only and is purely our interpretation of the NDB scheme and the APP’s. For a more comprehensive guide, go to the resources available on the OAIC website.