As of February 2018, all organisations and government agencies subject to the Privacy Act (which is most of you!) will need to be ready for the mandatory data breach notification legislation.
What this basically means is that if you experience a data breach or have lost data, you need to report the incident to the Privacy Commissioner and notify affected customers, or face hefty penalties of up to $1.8 million. Steep!
The legislation considers a serious breach to have occurred when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved. Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
60% of Australian businesses experienced an incident in the last year (and they are just the ones we know about) and the annual cost of cyber crime to our economy is $4.5bn, so it’s safe to say that at Kiandra we’re pretty happy about the new legislation. We take security very seriously and believe this will help ensure that security is a priority and on the forefront for more businesses and their boards.
What’s more, these new laws bring Australia into alignment with other countries, which have had the same requirement for years. We’ve seen mandatory notification laws having significant effects in other global jurisdictions, and expect to see the same here. With a more open and transparent approach to laws governing the handling of data comes an increased expectation from individuals as to the handling and security of data – and this can only be a good thing. Education is key – and if your staff are more aware of how companies use and store their data, as well as being abreast of the latest security threats and common vectors, your security stance as a business is greatly increased.
So what do you need to do to make sure you are ready for the new legislation?
According to our resident security specialist, Dan Weis, organisations that act proactively to manage their cyber risks are much better placed to reduce the frequency and severity of a breach, and the reputational fallout.
Dan advocates a multi-layered approach to security as the more layers you have, the more security and protection you have in place.
At a minimum, the base level preventative measures you have in place should include:
• Staff awareness training and regular testing (do your staff know what common attacks look like — would they be fooled by scam emails? Do they know the latest threats, are they exercising common sense?)
• Making sure that your IT team put in place the necessary security controls (intrusion prevention systems, end-point protection, whitelisting and lockdown, networking and email protection, firewalls etc.)
• Documented and tested incident response policies and procedures for cyber-attacks
• Penetration testing (a trained professional attacks your systems from a malicious hacker’s perspective, to uncover security vulnerabilities and weaknesses within an environment).
And of course, have an incident response plan in place. Even before the introduction of the mandatory notification regime, the Office of the Australian Information Commissioner (OAIC) expected to see a pre-prepared and considered plan being used in the management of a data breach.
At the end of the day, you can’t stop a hacker but you can make it as hard for them as possible. By combining a couple of the more traditional security measures such as firewalls, intrusion prevention systems, web filtering, email filtering and virus protection alongside penetration testing and staff awareness training, and appropriate insurance, you can keep a business on stable financial footing should a significant security event occur.
And, if you can show the OAIC, customers and other stakeholders that you have done your due diligence you’ll be much more likely to weather the reputational fall-out should a security incident occur.
If you’d like to talk to us about cyber security or have our security team assess your readiness for the new legislation please get in touch on firstname.lastname@example.org or call 03 9691 0500.