Cyber resilience – When private information gets splashed around the Internet
There has been some very high profile data breaches that have made local and world-wide headlines. These basically involve information, which should be private and confidential, getting out into the public domain. These are sometimes very sophisticated hacks but more often they have been as simple as employees copying large volumes of information and publishing them on the internet. Very often, breaches are caused by extremely slack password processes and security, or just being unaware of the danger.
The Australian Government has established a Notifiable Data Breach (NDB) scheme to ensure that affected individuals are notified about serious data breaches. The scheme will apply to all businesses, government agencies and other organisations, including not-for-profits, covered by the Australian Privacy Act 1988 (Privacy Act) and will commence on 22 February 2018.
NDB definition
A NDB refers to data breach likely to cause serious harm to those whom the information relates to.
A data breach occurs when personal information:
- Stored in a device is lost or stolen
- Is stored in “hacked” database
- Mistakenly given to wrong person.
The NDB scheme requires an entity to notify the Privacy Commissioner and any individual whose private information was compromised in the event of a NDB.
Implementing reasonable steps
Organisations need to consider the implementation of policies, process and procedures to adequately protect personal information. These include, but are not limited to:
- Governance, culture and training
- Internal practices, procedures and systems
- ICT security
- Access security
- Third party providers (including cloud computing)
- Data breaches
- Physical security
- Destruction and de-identification
- Standards
Where to start
In summary, this reform requires significant transformation towards governance and risk management, practice, policies and procedures, ICT architectures, workforce culture, and operations.
At present, we observe that only a handful of organisations are well placed to respond to current privacy and information security risks, due to effective governance and risk management. Many organisations are still coming to terms with emergent information security risks and implications towards wider operational, compliance and reporting requirements.
If you are feeling overwhelmed by these issues, don’t be! Our team of experts would be very pleased to meet with you to discuss how we can journey with you in this process.