From today, the mandatory Notifiable Data Breaches (NDB) legislation, established as part of the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be enforced for all APP Entities with personal information security obligations under the Australian Privacy Act 1988 (Cth)… and it couldn’t have happened soon enough for consumers and those fighting the ongoing battle against cybercrime.
The legislation will impose a legal requirement for all eligible organisations, which include APP entities with an annual turnover of $3 million or more, to provide a notice (as soon as practicable) to individuals whose personal information has been, or is suspected to have been, involved in an eligible data breach that is likely to result in serious harm, as well as provide recommended steps to both remediate and mitigate against future attacks. The Office of the Australian Information Commissioner (OAIC) must also be notified of each eligible breach.
The question on impacted organisations’ minds, however, is… will this legislative change have a negative impact on customer (or consumer) perception? The short answer is, it doesn’t have to. We’re all for collaborating and sharing information to help bolster cyber defences and combat cybercrime, and that includes working with our customers – it’s just about making sure everyone understands that.
We thought we’d pull together some tips to help organisations maintain trust with their customers.
Understand what’s required of your organisation because of the NDB scheme
First and foremost, it’s vital to understand what’s legally required of your organisation now that the NDB scheme has taken effect. Organisations that are unsure of whether it is an APP Entity under the Privacy Act should seek professional advice.
If you are considered an eligible APP Entity, read-up on the notification options recommended by the OAIC, as well as the required information inclusions for each notification option – you don’t want to end up being liable for sanctions, or cause panic because you failed to comply with the requirements.
Check-out the Office of the Australian Information Commissioner’s (OAIC) official info sheet here: https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/notifying-individuals-about-an-eligible-data-breach.pdf
Be upfront about the NDB changes to your customers, before there’s a breach
By giving your customers a heads-up about the NDB legislative changes and thereby providing an understanding about what to expect should there be a breach, there won’t be any surprises if an eligible breach occurs that requires them and the OAIC to be notified.
Remind your customers that we’re all in this together
Successful cyber breaches are now commonplace in news headlines – it’s probably a good idea to remind your customers just how common they are, without causing any undue panic. By highlighting the fact that attacks are becoming increasingly sophisticated and frequent, and the need for a joint defence between organisations, cyber security experts, governments and consumers, your customers will want to be part of the solution. Then, should a breach occur where actions on one or both sides are required, your customers will view these actions as both sides contributing to the ongoing fight against cybercrime.
Remember, collaboration, transparency, awareness and knowledge-sharing are the keys to a safer cyber landscape.
Understand when a notification isn’t necessary
Not all data breaches require notifications to individuals or the OAIC. In particular, a data breach that satisfies the requirements of an eligible data breach won’t require notification if the APP Entity takes remedial action and a reasonable person would conclude that (as a result of the remedial action) the data breach is not likely to result in serious harm). This exemption highlights the importance of early detection and action and having appropriate process in place to identify and respond to a potentially serious data breach.
Learn as much as you can about what happened, and share key information with your customer and the OAIC should the data breach require notification
The first questions your customer will ask if there’s an eligible data breach that could cause them serious harm are ‘What exactly happened?’, ‘How did it happen?’ and ‘What’s been done about it?’. You want your initial notification to answer these questions as accurately as possible to allay any fears they might have, without sounding waffly or defensive. Don’t pretend to know information you don’t, in case you get contradicted down the track.
Once a suspected data breach is determined to have the potential to result in serious harm, and meets the requirements for notification, the key is to examine the root cause of the breach and extent of the damage quickly (or to engage someone who can), then make steps towards remediation prior to contacting your customer. The OAIC then recommends including the following inclusions in notifications to impacted individuals and the OAIC:
- The contents of the statement to the OAIC
- The identity and contact details of the organisation, business or agency with the eligible data breach
- The kind (or kinds) of information involved in the breach
- Recommendations around appropriate steps to remediate
It’s up to the APP Entity to determine the appropriateness of their recommendations, depending on the circumstances surrounding the eligible data breach. This may include choosing to tailor recommended steps around an individual’s personal circumstances, or providing more general recommendations that apply to all individuals involved.
Use your usual communication channels for notifications
The OAIC recommends that APP Entities use their usual communications method(s) when notifying eligible customers or consumers of the breach – whether that’s via phone, email, SMS, mail, social media or in person, it’s permissible as long as the method can reasonably impart the necessary information. To determine this, it’s worth considering the likelihood that the recipient of the notification will become aware of, and understand, the notification, as well as take the recommended remediation steps into consideration.
Provide steps for your customers to take, and share the steps you’ve taken
To reinforce the notion that fighting cybercrime is a collaborative effort, share the high-level remediation and future mitigation steps you’ve taken with your customer should an eligible data breach occur that requires notification, as well as recommending steps they should take from their end (and outlining the rationale for taking them). That way, everyone’s doing their bit and your customers will be more confident that adequate action has been taken.
Let them know what you’ve done to avoid similar breaches in the future
Detail key control measures you’ve put in place to avoid similar future attacks, mentioning any thwarted attack attempts that have resulted from similar actions. It’s also worth mentioning any knowledge-sharing that’s taken place from an industry perspective. This demonstrates continued improvement and a willingness to collaborate to get increasingly effective and rapid results, subsequently leading to better future mitigation.
Get outside help if you need it
The Notifiable Data Breach scheme demonstrates that having a mature Incident Response approach is no longer a ‘nice to have’, but rather a necessity for all organisations, agencies and businesses – it’s time for everyone to start assessing their current cyber security response capability and uplifting their data breach response plans.
The problem is, not all organisations have the in-house cyber security capability to quickly and effectively identify eligible data breaches, and remediate against them. That’s ok – not all organisations are expected to. Take advantage of specialist cyber security consultants and the services they offer – whether it’s once-off advice or ongoing support. This will help minimise the number of eligible data breaches that occur within your environment in the first place.
…and there you have it – being prepared helps you win the battle. This is where Kinetic IT’s Security Assurance service can really be of use. We can help determine your preparedness for handling an eligible data breach, then help ensure you have the right processes in place to respond should the worst happen.