The Australian Federal Government has passed The Privacy Amendment (Notifiable Data Breaches) Bill 2017, which will go into affect on February 23, 2018. This amendment will require organizations with an annual turnover of $3 million who suffer a data breach to report it to the Privacy Commissioner. They must also notify each individual to whom the personal information relates, or the individuals who are at risk from the eligible data breach.
Which Australian Businesses Will Be Affected:
While this bill doesn’t apply to all organizations, it does include:
· Businesses that sell / purchase personal information
· Private sector health services providers including private hospitals, medical practices and pharmacies
· Private schools (from pre-K through graduate level), including child care centers
· Individuals who handle personal information such as tax preparers, credit reporters or health records
Data breaches that fall under this amendment include any unauthorized access to, unauthorized disclosure, or loss of personal information that a reasonable person would conclude is likely to result in serious harm to the individuals to whom the personal information relates.
After suffering a breach of such information, organizations are legally required to report them as soon as possible and must provide:
· Description of the data breach
· Information of what type of data was compromised
· Recommendations on what individuals should do in response to the breach
How Does This Regulation Impact The Cybersecurity Landscape?
Cybersecurity has been a major concern not only in Australia, but throughout the APAC region. Countries are pressed to ensure that not only are they keeping their government information safe from breaches, but also that they are safeguarding their citizens’ information. It’s likely that there will be an uptick in other countries looking at how to best protect their citizens private information. But just like their local businesses, governments also must plan for the inevitable breach and have a clear understanding of what they can handle internally if a possible breach does occur.
For most organizations, breaches aren’t just a business matter – they’re also a personal matter. And it’s not a question of “if” a breach will occur but rather “when” one will occur. If an organization suffers a breach and it is not reported in a timely manner, there are steep repercussions and penalties (including fines in the millions of dollars) not to mention a loss of trust by customers. For example, a breach could result in an organization being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $1.8 million.
While the regulations may sound new, they aren’t worth panicking about. They have been in the making for quite some time and should not be a surprise or shock to companies conducting business in Australia.
What Relationships Can Businesses Leverage To Help?
Australian and APAC organizations need to understand that being compliant isn’t enough, they must also have an action plan in place in the event that a breach does occur. Organizations that do experience a breach can become inundated with action items that need immediate attention and they won’t have the time, bandwidth or resources to conduct the indepth research needed into how and why the breach occurred in the first place.
For those companies that don’t have internal resources to handle a breach, having a strategic relationship with a managed security services provider (MSSP) could be very helpful. This partnership not only provides companies with critical assistance during a breach but also allows for the deployment of a tactical incident response plan. By utilizing an MSSP, Australian businesses are able to leverage the MSSP’s 24×7 alerting and monitoring support and the SOC analysts’ expertise to offload some of the workload.
“Security log collection and SIEM technologies are a critical part of an organization’s ability to detect potential security breaches along with providing valuable data during the investigation of a potential incident,” said Jeremy Vance, Vice President of Security Operations at Proficio. “Doing so requires having access to resources that know how to search and interpret those security logs effectively to provide insight into the timeline and scope and of the incident.”
When a breach does occur, Proficio supports their worldwide clients by performing log searches, investigations, cross-device correlation, analysis of existing data, incident response and forensic services to provide as much insight as possible into why and where the breach occurred and how to prevent another one from happening. “Our team of expert security analysts are able to conduct deep dives into client logs to gather as much information as possible for our clients or legal entities that may be requesting data to support their breach investigations,” Vance stated.
By forming close relationships with organizations in Australia, Proficio is helping them send a message that cybersecurity is a prime concern and being prepared for a potential breach is critical. This message resonates strongly with our clients, and supports their reputation as a trustworthy vendor who tailors solutions for each organization’s cybersecurity needs.