technology
Shore up your data
Practical ways to comply
with mandatory notifiable
data breach legislation.
By Sean Duca
M
ost organisations are now aware of the federal
government’s mandatory notifiable data breach (NDB)
legislation and the penalties associated with failing
to comply. Essentially, the scheme aims to give individuals more
control over their personal data, so it requires certain businesses to
report breaches of that data to the individual concerned as well as
to the Office of the Australian Information Commissioner (OAIC).
Failing to report a breach can result in financial and civil penalties.
The OAIC’s first quarterly report on notifiable data breaches
revealed that health service providers reported the most breaches
(15 out of 63 since 22 February 2018). Fifty-five breaches in total
were reported in March alone, which is almost two per day. *
Health service providers include any organisation that provides a
health service and holds health information. Information breaches
at a health service provider have a significant likelihood of causing
serious harm to the affected individuals because of the inherently
sensitive nature of medical information. People could potentially
suffer psychological distress or even trauma from having the
details of their health shared publicly. Depending on the nature of
their health problem, they could experience social stigma and it
could affect their job prospects and earning potential.
Furthermore, the combination of personal details available
via health records makes victims vulnerable to identity theft,
which can cause ongoing problems. While it is relatively easy to
34 agedcareinsite.com.au
change credit card details, it can be harder for victims to secure a
new Medicare number, for example. Cybercriminals can use that
information to fraudulently open bank accounts and loans in the
victim’s name, racking up significant debts in the process.
The NDB scheme applies to all government agencies and
businesses already required to comply with the Privacy Act,
which includes businesses and not-for-profit organisations with
an annual turnover of more than $3 million. It also covers any
business that collects and stores personal information such as
education records, tax file numbers or health records.
The Australian scheme is being mirrored around the world.
For example, Europe’s General Data Protection Regulation (GDPR)
includes similarly stringent requirements for businesses to take
all reasonable steps to keep confidential information secure.
The GDPR regulation extends to any business interacting with
businesses or individuals in Europe, so Australian businesses
need to be aware of their responsibilities under this regulation.
In New Zealand, data breach notification is expected to become
mandatory at some point, but no details are confirmed yet.
While this need to be aware of and comply with regulations
from around the world can seem overwhelming, there is one sure
way to avoid falling foul of the regulations. Businesses need to put
all of their cybersecurity efforts towards preventing breaches from
happening in the first place, rather than only looking to mitigate
breaches after they’ve happened.
There are five key steps businesses should take now that the
NDB scheme is in full effect:
1
Understand and map out what data the business holds
Companies collect and store data across any number of
locations, so auditing the data held within the business is an
important step towards complying with the scheme. It’s essential
to know where the data resides (on-premise or in the cloud),