Mandatory notification of data breaches is becoming more commonplace across the globe. Many financial institutions are now required to comply with NY DFS, any organization processing the personal data of EU citizens should be in the midst of their GDPR preparations, and now Australia has announced that it will also be joining the party.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Senate in February 2017, and comes into effect as of February 22, 2018. As with other compliance regulations, fines can be applied to those who are found to be breaking the rules. In this case, a civil penalty of up to AUD 1,800,000 can be added to the hefty financial impact of a breach.
The bill applies to all Australia Privacy Principle (APP) entities, which includes many Australian Government agencies, and private sector organizations with an annual gross revenue of over AUD 3,000,000. It’s important to note that the bill also applies to organizations who hold tax file number information, certain credit providers and credit reporting bodies, and there are some other nuances depending on the type of business or services you provide. If you are unsure as to whether you are exempt from this bill, you can find out more here.
Documented timeframes for reporting an eligible data breach are not as prescriptive as the 72-hour reporting window under GDPR, but instead require non-exempt organizations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as is practicable.
There is also a requirement to investigate suspect data breaches within 30 days, during which time you need to ascertain whether the breach occurred and assess whether it falls under the realm of eligibility for notification. Thirty days may seem like a decent amount of time to conduct such an investigation, but if you’ve spent any time doing incident response you’ll know that days and weeks can fly by pretty quickly. Time is a strange beast when the proverbial fan and excrement come together.
If you’re looking for advice on next steps, the OAIC (whose website I really cannot praise highly enough) have put together a wealth of easily digestible information that will help you on your compliance journey. In particular, I’d recommend you start by reading these two guides:
The latter is complementary to a much more in-depth document on handling personal information security breaches, which includes a section on preventing future breaches. When reviewing your current breach response measures you should use this advice as a benchmark. All too often, organizations heed this type of advice only after they’ve been subject to a critical incident, so take the opportunity now to learn from others who have lived through the pain of a breach.
Need a helping hand? Our experts are here to help you. Rapid7’s IR services team come with a plethora of pedigrees and have many thousands of hours of incident response experience. We’ve got a range of incident response services that can fit your needs, whether those needs are assistance developing an IR program, concern about a potentially compromised environment, a second opinion on your organization's breach-readiness, or immediate help with a potential breach.
And if you’re worried about not having the staff or expertise in-house to monitor your environment for threats and attackers (and let’s face it—not everyone has the luxury of having a 24x7x365 security operations centre at their disposal!), don’t panic: we’ve got your back. Rapid7’s Managed Detection and Response (MDR) can be your eyes and ears, and we include a compromise assessment and two incident escalation investigations per year as part of the package. You can learn more from one of our MDR customers, Bill Heinzen of NISC here.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 isn’t just about sending some emails out to customers or putting a notice on your website after the horse has bolted. Prompt investigation and response are key for limiting the impact of a potential breach, and can make a world of difference to those whose data you hold.