Sensitivity around our personal data is growing as companies which have had data breaches are increasingly being held to account. These breaches happen daily around the world, whether it is credit card information; names; email addresses; phone numbers; dates of birth or passwords. Increasingly customers and clients want to know whether the data your business holds on them has been breached. And now New Zealand businesses could be impacted by Australian legislation which makes notification mandatory for certain data breaches. John Martin explains.
Can you explain what the changes to the Australian Privacy Act for Notifiable Data Breach legislation are and what it means?
The Australian Notifiable Data Breach (NDB) scheme is an amendment to the Australian Privacy Act 1988 (Cth) that establishes requirements for organisations in responding to certain data breaches. It came into effect February 22. It stipulates that organisations have notification obligations to the Office of the Australian Information Commission (OAIC) and individuals impacted by certain data breaches.
A data breach which requires notification occurs when the following criteria are met:
• There is unauthorised access to, or disclosure of, personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
• This is likely to result in serious harm to any of the individuals to whom the information relates.
• The entity has been unable to prevent the likely risk of serious harm with remedial action.
‘Serious harm’ is not limited to economic or financial harm but could also include emotional, psychological, physical or reputational harm. In assessing whether a breach constitutes an eligible data breach, it is necessary to consider the circumstances, including the scope of disclosed data, the type of data disclosed, whether it’s protected (e.g. through encryption), who might have received the information and the currency of the information.
Introduction of the scheme potentially impacts hundreds of thousands of organisations required to comply with the Privacy Act.
The law change is a catalyst for businesses to ensure they have a plan to respond effectively once a breach is identified – in order to both comply with the changes, as well as to contain the reputational impact and cost of a breach.
Why have the Australians gone down this path?
The reality is that in today’s global and digital business landscape, data breaches are going to happen, it is not a question of if, it is inevitable. The volume and sophistication of cybercrime is ever-increasing; security teams are sifting through 200,000 security events per day on average [IBM Research]. It is estimated the cybercrime will cost the global economy more than US$2 trillion by 2019 and $8 trillion by 2022, and represents what could be the greatest threat to every company in the world [Juniper Research].
According to the Office of the Australian Information Commission (OAIC), the NDB scheme strengthens the protections afforded to everyone’s personal information and improves transparency in the way agencies and organisations respond to serious data breaches.
This supports greater community confidence and trust that personal information is being protected and respected and encourages a higher standard of personal information security across Australian industries.
Is New Zealand likely to follow suit?
According to the Privacy Commissioner, the New Zealand Government has indicated that a mandatory requirement to report data breaches is going to be part of the changes being introduced to New Zealand’s Privacy Act. The Law Commission, in its 2011 privacy law review, recommended mandatory data breach reporting, and the Government agreed with that recommendation, among others. [It was tabled in Parliament in late March – Ed]
Many countries around the world are making similar changes.
There will also be another 60 Tb/second international internet link via the Hawaiki submarine cable system to be introduced in June 2018, meaning there is a high probability that we will likely experience increased exposure to cybercrime in the near future.
How will it affect Kiwi organisations trading with Australian firms?
New Zealand organisations which carry on business in Australia and collect or hold personal information in Australia, could all be affected by the NDB scheme and would need to comply with the Privacy Act. This includes New Zealand businesses which have no physical presence in Australia but have an online presence.
What is the most likely outcome from this legislation?
The introduction of legislation in Australia will increase awareness of the need for proactive planning for security breaches and incentivise many organisations to put a response plan in place.
Businesses will also need to be clear who is handling communications with stakeholders (such as the OAIC and affected individuals) well in advance of a breach, as failure to act quickly will fall foul of the Privacy Commissioner. It will also make consumers more aware of the obligations of businesses handling their data.
Evidence shows that many Australian organisations will struggle to meet expectations and obligations of the new law. According to the 2017 IBM Ponemon report, organisations, on average, took more than five months (or 175 days) to detect that an incident had occurred. Failure to comply with the organisation’s obligations under the Privacy Act could lead to financial penalties – up to A$360,000 for individuals and A$1.8 million for body corporates.
How can New Zealand organisations defend against breaches?
Organisations should look for the root cause of the breach as part of the incident response. This includes identifying the initial attack and addressing the root cause by remediating the issue permanently to prevent reoccurrence.
Drawing on the expertise of security teams is often needed to effectively manage the breach lifecycle in accordance with any organisational or legislative compliance mandates. As breaches are often global in nature, access to global experts who can respond to incidents in a repeatable manner, and provide access to rich intelligence information, can significantly improve the response to a breach, as well as reduce the time to respond – saving costs and resources to the organisation.
At IBM we’re also applying our artificial intelligence platform Watson to help augment human skills and expertise. AI technology can support and augment a limited pool of available security analysts to manage the sheer scale of the global threat landscape, when it comes to cybersecurity and monitoring and alerting of possible breaches.
The message for New Zealand organisations is: don’t wait for our local Government to implement changes to New Zealand’s privacy law. You should be preparing your incident response plans now – whether you have a commercial relationship with businesses and consumers in Australia or not. It just makes good business sense.
I read that the greatest security threat to an organisation is its employees?
Human error accounts for 28 percent of data breach incidents, usually involving a negligent employee or contractor. [Ponemon 2017 study].
Hiring effectively and skilling up your workforce to help avoid security incidents is a critical part of your defences. Employees need to better understand the value of data, and how to avoid putting it at risk. This includes best practises like encrypting sensitive data or implementing appropriate technology controls around sensitive data.
Well trained and observant employees are also a huge asset in preventing and spotting breaches earlier, and therefore reducing the cost of a data breach.
What are you advising businesses to do?
As a priority, all organisations affected by the NDB scheme need to put a reliable response plan in place. This will ensure an appropriate, reliable and effective response plan is followed as soon as a breach is discovered or suspected.
As events usually move at speed, having a robust and well-tested response plan, helps ensure all critical processes and actions are followed, and that the organisation can be confident nothing is going to be missed. In the recently released Ponemon Institute Cyber Resilient Organisation Study, 77 percent of nearly 3000 survey respondents around the globe said they do not have an incident response plan in place.
The brand value of a well-executed response plan should also not be underestimated. Organisations that have suffered any well-publicised breach will also be judged publicly on their ability to respond and recover. When a breach occurs, it is crucial it is handled with an understanding of the potential impact it will have on the organisation’s trust with its stakeholders, and with affected customers and partners.
But is anything really going to stop a breach?
There are some key actions that most organisations can take immediately to reduce the risk and impact of a data breach, including:
• Extensive use of encryption.
• Employee training.
• Appointing a chief information security officer.
• Having an incident response team in place, whether internally or with a credible partner.
Increasing cybersecurity threats are indeed the nature of the world today. Breaches will happen; it’s how you respond that matters. It’s best to focus on:
• Minimising the loss of revenue associated with a security incident.
• Better protecting intellectual property, client data and reputation.
• Recovering in a shorter time, getting back to business more quickly and reducing the costs associated with managing the breach.