Benjamin Franklin once said, ‘an ounce of prevention is worth a pound of cure’. Today this can be aptly applied to the value proposition of protecting our important information.
Unfortunately, recent history shows that data breaches are a fact of life for many organisations – no-one knows who is going to be breached, or when.
That said, proven incident handling responses and breach impact minimisation through solid operations security has a significant return on investment when compared to the potential financial impact and brand damage of a breach.
The Notifiable Data Breaches (NDB) Scheme commencing on 22 February 2018 is a timely reminder to take stock of our approach to protecting information. The Scheme will require organisations covered by the Australian Privacy Act 1988 to notify all individuals likely to be at risk of serious harm if personal data is compromised by a data breach.
Legal advice should be sought by organisations wishing to clarify whether the Scheme applies to them and to the extent the obligations impacts existing processes and capabilities. That said, as with the Privacy Act 1998 and amendments, the NDB Scheme is concerned with information that is “About” the individual or information from which their identity can be reasonably ascertained.
Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
Organisations covered by the Scheme should take the following immediate steps:
- Ensure their existing information incident response plan covers the reporting and notification requirements set out in the Scheme, in addition to detecting, containing and ‘fixing’ the breach. If no response plan is in place then one should be developed.
- Privacy impact assessments and information security risk assessments should be conducted where needed to understand where information is stored, the risks to your organisation from holding that data and what controls are required to manage these risks.
Having these processes and capabilities in place will enable you to respond to any breach in line with the requirements of the Scheme. Secondly and equally important, you need to understand the controls and risk treatments required to reduce the likelihood of a breach occurring in the first place.
If your current cyber security maturity is well developed, then the NDB may be ‘business as usual’. If your cyber security maturity is still growing, then developing, implementing or refining your cyber security risk management program is the ideal way to enhance this while better protecting your firm, shareholders and its customers.
Risk management is the foundation for your maturity improvement program. Effective risk management will identify any gaps needed to address any new risks arising from the NDB Scheme. An inclusive risk management approach will also identify other cyber risks that have the propensity to impact on your organisation, particularly:
- Reputational / Brand Damage
- Failure to meet compliance and regulatory requirements
- Financial Loss from incident clean-up, loss of customers / market share, fines etc
Regardless of whether your organisation is covered by the scheme, now is the time to review your approach to cyber security - in particular incident response.
To help, CISO of Loop Secure - Lyal Collins and I have prepared a complimentary whitepaper analysing the impacts of this change and providing advice on the preparation required. Download it here.