Australia has entered into a new cyber security era with the Notifiable Data Breaches (NDB) scheme coming into effect on 22 February.
The scheme will impact all organisations with a turnover of more than $3m, and many others below that threshold that hold personal data, including banking details, medical records, addresses and phone numbers in hard copy or digital format. In short, the NDB scheme applies to any organisation that is considered an APP entity under the Privacy Act.
From 22 February onwards, data breaches – whether actual or suspected, and applying both to staff and client data – legally must be reported to the Office of the Australian Information Commissioner (OAIC). In addition, the individuals whose data is compromised must be notified ‘as soon as is practicable’.
Non-compliance can attract steep penalties of up to $1.8 million for businesses and $360,000 for individuals.
Why Australia needs the NDB scheme
Australia is proving to be a particular target for cyber criminals for a number of reasons. Firstly, relative to other economies Australia came through the global financial crisis in remarkably good shape, suggesting there may be potential wealth to be tapped.
Secondly, Australians tend to embrace new technologies and place more trust in them than other nationalities. Finally, our comparatively small population and cultural resemblance to both the United States and the United Kingdom makes Australia an attractive testing ground for new cyber-crime products.
Over the last 20 years, systems hacking has evolved from random acts of vandalism intended to highlight an individual or small group’s skills or agenda to a major revenue source for organised crime, capable of generating millions in revenue. Additionally, cyber technology is being utilised politically, with frequent reports of foreign states mounting attacks aimed at sabotaging a target country’s economy.
These criminal organisations are run like standard businesses, with a range of service platforms across their infrastructures, multiple capabilities and storefronts for buying and selling various tools and information. They have KPIs and they even hold office parties. And they are innovating at an extremely rapid rate.
The practicalities of compliance
Incidences of security breach interruptions to normal operations are reported to have affected 59% of all Australian businesses, according to the Telstra Cyber Security Report 2017.
In all likelihood that figure does not tell the full story. One of the advantages of a national breach reporting scheme will be that a more accurate picture of cyber-crime and its effect on the Australian economic landscape can begin to emerge.
The need for businesses to respond swiftly and decisively in the event of a breach is essential. Boards and business owners must consider: how is your business positioned to meet these requirements? What do you need to put in place and how do you manage cyber risk from an operational perspective? And what about risks that you can’t identify because you don’t yet know what they are?
In the case of a data breach, in-house or external resources should include a technical forensics analyst, legal counsel and communications specialist to enable an immediate response and damage limitation.
Specific insurance cover is also highly recommended. A comprehensive cyber insurance program needs to cover multiple risks, from financial loss to legal costs, and should be put together by a broker who understands both your operation and how a data breach could impact it.
Need advice on cyber security for your business?
Gallagher is ACAPMA’s insurance partner with a team of specialist brokers for the convenience stores and petrol retail sectors. Request a cyber insurance quote, or more information on Gallagher’s products range here.
An outline of the Notifiable Data Breach notification scheme and downloadable notification form can be accessed via the OAIC website.