Dear OAIC,

I love your website. I really, really, really, really, REALLY love your website. It is brilliant. Thank you.

Warm regards,

Samantha Humphries
Rapid7 Senior Manager, Global Markets & Compliance

Glad I’ve got that off my chest. I should probably elaborate on my feelings, not just because our community manager might think I’ve finally lost my remaining marbles and she has to approve this blog, but because I want you to love their website too, especially if you’re gearing up for the Notifiable Data Breaches (NDB) scheme, which comes into force on February 22, 2018. And even if NDB doesn’t affect you, it’s worth reading on, I promise.

If you’ve read my NDB blog from last year, you will have already seen this budding one-way romance in action. Our Australian team had given me a heads up that this new regulation was coming, so I duly went off to research it. This was the moment I first visited the OAIC website….and I honestly did a little dance in my chair. Hooray for useful actionable information! Hoorah for decent security advice! Three cheers for clarity!

Now, you might still be questioning my dwindling marble situation, as this is what you’d hope to find on a website. However, I’ve spent a lot of time reading and learning about various compliances, GDPR in particular, and often there is a lot of FUD, with a generous sprinkling of misinformation, and a smattering of utter trash. Just today, I read something from a very large global consultancy firm that had the wrong data on the percentage amounts for GDPR fines. This may not be life-threatening in the general scheme of things, but I’d expect an organisation of their calibre to be accurate when talking about compliance.

Granted, this is a government website, and as the body responsible for the NDB scheme, it would be something of a travesty if there were errors. The quality of information and the level of detail is incredible. The OAIC have documented the requirements on breach notification, which apply to certain entities, and they have information on investigating suspect breaches, which should be completed within 30 days. They go on to talk about best practices for securing personal data, a guide to handling personal information data breaches, and they have a really good webinar to help organisations who are preparing for NDB.

Wow Sam, a government website has helpful stuff on it. Cool story, sis. Yet the thing with many compliance regulations is that it’s easy(ish) to tick a bunch of boxes, say “we’re done” and head off to grab a beer. However, as many a conference talk will tell you, compliance does not equal security, and the OAIC seem to genuinely care about helping organisations improve their security program and have the right incident response plans in place if something goes amiss.

Please do take some time to click through the links in this blog; in case you hadn’t noticed, I am a pretty big fan of the information they’re providing. When the OAIC delivered the NDB webcast back in November 2017, a fair chunk of the audience were still in the early stages of learning about the topic. Therefore, even with only a few weeks left to go it’s highly possible that not everyone is totally ready for this new regulation. And even you are ready, it’s never a bad idea to put your incident response plan through it’s paces, just in case there are some gaps. Attack simulation exercises, are a great way to go about this, or you could look at a blended “purple team” exercise whereby a penetration testing/red team go up against an incident response/blue team.

If you’d like to learn more about how Rapid7 can help, we have some helpful NDB related goodies available for you to download in this toolkit.