Notifiable Data Breaches: It’s time to understand your risks and reporting responsibilities

In the 12 months from April 2018 to March 2019, the Office of the Australian Information Commissioner (OAIC) received 1,132 notifications under the Notifiable Data Breach (NDB) scheme. Of those reported, 964 were confirmed as eligible data breaches. This is an increase of 712 per cent on the previous 12 months where there were only 159 notifications made under the scheme.

So why the increase? Is it a sign we are being subject to more hacks and threats? In fact, the increase in NDBs is a positive sign that businesses are becoming more aware of their responsibility to report data breaches and implement processes to report and manage them appropriately.

However, despite the increase, there is still a wealth of confusion around the NDB scheme and how its effects organisations. In this article, we explore what an NDB is, why you need to be aware of it and how you can implement processes and security measures to limit your risk.

What is the Notifiable Data Breach scheme & who does it apply to?

In February 2018, the Australian government implemented legislation requiring organisations to notify the Privacy Commissioner and (in some cases) effected individual, of eligible data breaches. An NDB is considered any event or incident where Personally Identifiable Information (PII) is accessible by an audience beyond its intended receipt.

According to the OAIC, an  eligible data breach arises when the following three criteria are satisfied:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
  2. this is likely to result in serious harm to one or more individuals; and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

The NDB scheme is applicable to any company or not-for-profit entity with an annual turnover greater than three million dollars. Beyond this, the scheme also applies to any business storing PII including schools, childcare centres, travel agents and accountants to name a few.

What do NDBs have to do with your IT?

A lot. The NDB scheme should be a key consideration for any business when it comes to IT. Security measures and company specific processes should be implemented to protect any PII and reduce the risk to your organisation.

The type of IT infrastructure you have in place can significantly affect your ability to reduce the risk of NDB. Businesses operating a Modern Desktop  benefit from increased layers of security, compared to a Traditional Desktop.

The advanced collaboration capability of a Modern Desktop means that the multiple layers of security integrate with each other. This means each layer is aware of its environment and the other security measures in place. A Traditional Desktop cannot compete with the level of AI and security integration a Modern Desktop brings. Instead, each layer of security works independently and not intelligently.

However, merely having a Modern Desktop and increased security is not enough to be compliant with the NDB scheme. Organisations also need to take steps to ensure they are working to protect their data and are fully aware of any risk and how to reduce it.

Much like Workplace Health and Safety, the NDB scheme is not about avoiding breaches but knowing what to do if a breach occurs. Therefore, it is crucial to educate your staff on the NDB scheme and ensure they know the process to follow in the event of a breach occurring.

Be safe by design

At Dynamic Business Technologies, we work with clients to ensure that they have the best IT infrastructure in place and the right policies and processes to hand. Our belief is that risk should be minimised, and preparation is key to preventing and managing data breaches. In short, an organisation should always aim to be safe by design.

Enlisting the help of an experienced IT Managed Service Provider (MSP)  can be beneficial to businesses with high or undetermined risk. By partnering with an MSP, they can help you:

  • Gain an understanding of the business and identify all risks including determining if the customer is GDPR compliant
  • Assess the existing internal systems (is it a Traditional or Modern Desktop?) and policies and establish what protocols and measures a predecessor has implemented
  • Conduct an audit of all existing data sets to ensure no PII is being stored unnecessarily
  • Create a detailed report on the identified gaps and pinpoint where existing risks lie

The content of the report will vary depending on the level of risk identified and IT maturity of the organisation. As such, the next steps will differ, but common and sensible recommendations will include transforming to a Modern Desktop and creating clear and documented processes and policies regarding PII and NDBs.

Dynamic Business Technologies understand NDBs and how to protect PII

At DBT we have worked with numerous clients to provide support to both prevent data being leaked and manage any breaches that do occur. We partner with businesses to provide the education needed to ensure that all staff understand the significance of the NDB scheme and what to do in the event of a breach. Beyond this we ensure that all the available security measures are in place and configured correctly to create a secure and protected IT environment.

To find out how DBT can assist your business, contact us today.