PS&C Security Group ran two successful Cyber Assurance Breakfast event's last week in Sydney and Melbourne. One of the main topics was the data breach notification laws that come into place on Thursday the 22nd of February. The general feedback from our panel was that many Australian companies are underprepared. Despite this, with some planning you can put your organisation in a much better position to comply with the updated obligations.

Today The Office of the Australian Information Commissioner (OAIC) released an updated data breach preparation and response guide to help companies understand their obligations. The updated guide can be found here:

What it covers is how to best prepare and manage the new notification requirements, this includes the following steps:

  • Understand – what are your obligations, where is personal information held, what would constitute a breach?
  • Plan – Prepare a data breach response plan. Who needs to be involved, what do we cover and who we need to notify. (Page 18 of the document provides a helpful checklist)
  • Respond – If you are subject to a data breach the process is to contain, assess, notify and then review.

At the Breakfast events the panel responded to some interesting questions from the crowd on this topic. I have tried to highlight the main questions and articulate the responses from the panel.

When do I have to notify?

If you are an Australian Government agency, businesses or not-for-profit organisation with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others you are required to notify under the scheme. The advice from the panel was to err on the side of caution and if in doubt notify. If you try to ignore a data breach and it later comes to light the OAIC are unlikely to show leniency.

If I have a breach that occurred before the 22nd of February 2018, but I discovered after that date, do I have to notify?

Yes, any suspected breach should be notified.

Are there steps I can take to reduce the likelihood of the OIAC imposing fines or prosecuting?

Until the new notification laws have been tested in court it is not possible to give a definitive answer. However, from the material provided by the OIAC if you can demonstrate that you have taken appropriate steps to secure the data the penalty is likely to be much less severe. Appropriate steps would include having a testing regime that includes at least annual penetration testing and regular vulnerability scanning, having a response plan in place, being proactive in notifying the OIAC and ensuring you have an appropriate Information Security Management System in place.

If you are already involved in information security or risk management this will be familiar. However, it is likely the board will be asking questions about the data breach notification laws and what their obligations are. The best starting point is the documents provided by the OAIC and then to engage an expert security firm to ensure you fully understand the risks to your business in a way that can be communicated to key stakeholders.

The goal of the regulation is to protect consumer confidence in organisations that handle sensitive information. These regulations will enable consumers to be more trusting and allow businesses to innovate in how they deliver services. Longer term the overall benefit will far outweigh the short-term pain.

On a side note this is aligned with broader global initiatives such as the General Data Protection Regulation (GDPR) from the EU. As of the 25th of May 2018 this regulation will become enforceable for those companies holding the personal information of EU citizens.

Marco Cantarella

Marco has been working in information security industry for 8 years and with PS+C Group since 2014. Over the years and through countless conversations with customers he has developed a very good understanding of the security market and what is relevant to customers. He has worked with customers across the entire APAC region to deliver Penetration Testing, PCI & ISO Assessments, Governance Reviews, Red Teaming, Product Solutions and long term AppSec programs. If you are interested in learning more about what is relevant in security and where to get the best value for your security spend please contact us.