The Australian Government has published an exposure draft of the anticipated mandatory data breach notification scheme that will eventually come to effect through an amendment of the Australian Privacy Act.
The key question organisations must be capable of answering is: Are there reasonable grounds to believe that a serious data breach has occurred?
- Yes: Notify the Australian Information Commissioner & the affected individuals (unless exception applies)
- Unsure: 30d max to qualify and act accordingly
Penalties for non-compliance to the notification requirement may result in fines up to $340,000 for individuals & $1.7M for companies according to the OAIC Data Breach Notification Guide.
The scope of the proposed scheme can probably be summarised as such:
- Organisations: those in scope of the Privacy Act = most Australian Government agencies & private sector organisations with annual turnover > $3M
- Data: personal information, incl. credit related information (reporting & eligibility) & tax file number information
- Data action: unauthorised access, unauthorised disclosure or loss of data
- Condition: “serious data breach” = real risk of serious harm to the affected individual. “serious harm” = physical, psychological, emotional, economic, financial harm & harm to reputation.
The key to complying with the proposed regulation would rely on the effective capability to detect and qualify data breaches against the above criteria. This probably is no easy feast for most organisations, if not all.
The OAIC provides some advice on data protection measures, and it also refers to the Australian Government’s Protective Security Policy Framework and the Information Security Manual, which do provide good guidance on detecting cyber security incidents and enabling security monitoring. However, how can organisations really qualify their capability readiness to abide by the requirement of the scheme and be assured they are able to answer the key question: Are there reasonable grounds to believe that a serious data breach has occurred?
There are probably two elements of answer to the above readiness question:
- Knowing where the data in scope of the scheme is, knowing who has access to it, knowing who is protecting it and knowing how well it is protected (from the Telstra’s Five Knows of Cyber Security – here the value of the data is inferred to be known)
- Qualifying well enough the cyber security incident and data breach monitoring and detection capability and the granularity of information available from it (are the logs granular enough to know what data would have gone out)?
In anticipation of the applicability of the proposed scheme, it may be a good time already for organisations to find answers to the 2 points above.