Urgent action needed to prepare for data breach law
Australian organisations have less than 12 months to prepare for the introduction of mandatory data breach notification legislation and need to be taking action now to avoid severe penalties.
Many organisations in Australia will need to comply with the new regime, which comes into effect in February, according to CSA CTO Brett Woods. Penalties for serious or repeated violations will be up to $1.8 million for companies and $360,000 for individuals.
While the legislation mainly affects companies and non-profit organisations with turnovers of more than $3 million, even smaller organisations that need to comply with the Australian Privacy Principles will also need to be compliant.
These include any individuals who handle personal information, such as accountants, as well as childcare centres, private educational institutions and private sector health and fitness providers.
The legislation classifies a data breach as an instance where there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.
Palo Alto Networks VP and Regional CSO for APAC Sean Duca said the criteria defining eligible breaches that must be reported include “a likelihood that the individuals who are affected by the incident are at ‘risk of serious harm’ because their information have been exposed”.
Any affected organisation must take steps to ensure compliance between now and February 2018, when the new requirements will take effect. The first step is to understand what the phrase “take reasonable steps to protect personal information” means within the context of an organisation, CSA said.
Organisations will also need to take action to reduce the risk of a breach, such as aligning security practices with recognised standards such as ISO 27001. CSA is also advising organisations to review their policies and procedures to ensure they are compliant with the principles of the Act.
“With the stakes now higher than ever, it is imperative that business leaders and boards take action to reduce the risk to their organisations. Information security is no longer a problem isolated to CIOs and heads of security,” CSA’s Woods warned.
“The impact of data breaches, and the impending requirement to publish any occurrences, can have a devastating impact on an organisation’s brand. The knock-on effect to consumer trust and confidence, corporate partnerships and stock prices for larger companies can be significant.”
He said the biggest problem is that many organisations don’t understand their current security posture, which is why the reviews are so important.
Palo Alto’s Duca added that organisations should also be conducting audits covering how they are holding data and whether it sits with any third parties such as cloud providers.
“Strengthen your cybersecurity defences. Visibility is key. This means reviewing your cybersecurity strategies and practices to ensure that steps are in place to avoid data breaches or you have outlined ways to reduce administrative errors, which could lead to a breach,” he said.
Additional controls could include limits or restrictions on who can access sensitive data and improving the governance of data sharing, he said.
“Now is the time to sit down, have these conversations and look at how you’re protecting customer data and whether your security practices are adequate. For organisations that have been reluctant to invest in information security practices, this legislation alone should not be the primary driver to protect your organisation and, ultimately, your customers’ data,” Duca said.
“As a priority, every organisation should continually review its data security to ensure that no customer data is unwittingly compromised. You should look at using a risk-based methodology for managing privacy and not wait for the law to come into effect, as the time to act is now.”
More than 60 Australian cybersecurity industry leaders are heading to the US this week to build...
The NZ government will work with the private sector and the public to refresh New Zealand's...
The Cyber Security Cooperative Research Centre, based at Edith Cowan University, is the result of...