The long-awaited mandatory Notifiable Data Breaches legislation, established as part of the Privacy Amendment (Notifiable Data Breaches) Act 2017, takes effect today, impacting all APP Entities with personal information security obligations under the Australian Privacy Act 1988.
What does the Notifiable Data Breaches legislation mean for organisations?
The Notifiable Data Breaches (NDB) legislation will impose a legal requirement for all eligible organisations, which include APP entities with an annual turnover of $3 million or more, to provide a notice (as soon as practicable) to individuals whose personal information has been, or is suspected to have been, involved in an eligible data breach that could result in serious harm. They must also provide recommended steps to both remediate and mitigate future attacks.
The Office of the Australian Information Commissioner (OAIC) must also be notified of each eligible breach.
RELATED CONTENT: What the breach?! 4 ways to protect yourself in a data breach
Kinetic IT’s response to the Notifiable Data Breaches legislation
Kevin O’Sullivan, Kinetic IT’s Group Manager, Security Intelligence Services, says, “The new legislation couldn’t have come soon enough for the security industry, businesses and consumers alike – we need to remember we’re all in this together, and that means being transparent, collaborating and sharing our experiences to get faster and more widespread results.”
“We also understand that organisations may be concerned about losing customer trust as the result of this new legislation – the key to avoiding this is preparation and knowing exactly what is required when it comes to these notifications. Causing unnecessary stress or panic doesn’t help anyone.”
How to know when you need to notify?
To determine whether a notification is necessary, and make a compliant notification possible should an eligible data breach occur, agencies and organisations will need to conduct an assessment of a suspected breach to determine whether it is likely to result in serious harm.
“It’s time to start assessing your current cyber security response capability and uplifting your data breach response plan. If you’re concerned that your organisation may not have the in-house capability to conduct an adequate breach assessment, or remediate effectively, take advantage of trusted Australian specialist services like Kinetic IT’s Security Assurance service,” says O’Sullivan.