by Jennifer O'Brien

Updated: Industry dissects rollout of data breach laws in Australia

Feb 22, 2018

Australian Information Industry Association (AIIA) CEO Robert Fitzpatrick welcomes today’s rollout of the Australian Notifiable Data Breaches (NDB) legislation which makes big changes to the Privacy Act.

The new data breach notification laws impose mandatory investigation and notification requirements on various businesses. Importantly, these requirements will apply to most businesses with an annual turnover greater than $3 million, with some limited exceptions.

“Importantly, the NDB scheme provides a notification that must include recommendations about the steps that should be taken in response to a breach. The ICT sector has a very central role in helping organisations meet their compliance commitments under the scheme, as well as preventing and remediating data breaches,” Fitzpatrick said in a statement.

“The ability to confidently engage online is a critical foundation of a digital society, and anything that builds confidence for citizens and businesses is an important step forward.”

Fitzpatrick said the NDB scheme establishes requirements for entities in responding to data breaches. It applies specifically to data breaches involving personal information where the likely result is serious harm to an individual affected.

“This is not just a technical issue for CIOs. It’s a whole of business issue that all levels of management need to get behind. It’s about managing customer data for the whole business operation.”

As reported earlier in CIO Australia, the new requirements will apply to businesses that have IT contracting arrangements that involve disclosure or use of personal information of the employees or customers to suppliers (including overseas-based suppliers).

Essentially, all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) must comply.

This includes entities such as Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and Tax File Number (TFN) recipients, among others.

Running one of the largest incident response centres in Australia, IBM Security CTO, Chris Hockings, told CIO Australia the new legislation will have a big impact on organisations and individuals.

“The introduction of Australia’s Notifiable Data Breach scheme is a welcome addition to our ongoing fight against cybercrime and data breaches.

“The legislation will require all businesses to take a renewed approach to managing their security defences, to ensure that personal information is adequately protected. Introducing more rigorous rules around breach notification will also see the number of breaches we see reported increase and encourage organisations to adopt a greater transparency with their customers.”

Meanwhile, Gartner research director, Rob McMillan, said the new requirements leave latitude for the interpretation of what may be considered serious harm.

“Depending on the circumstances, this can either work in favour of the breached organisation (for instance where immediate remedial action has effectively negated the potential for that harm) or against (for example, where the breached organisation has chosen to consider the potential harm as relative minor in contrast to a later determination by the regulator).

“This suggests that the prudent organisation would keep good records as to criteria used to determine the seriousness of the breach and the effectiveness of remedial action, and to adopt an objective view to the greatest extent possible.”

Like Fitzpatrick, ACS President Yohan Ramasundara welcomed the commencement of data breach notification laws, calling them a vital step in the development of a mature digital economy.

“We create more data on a daily basis than at any time in human history. Much of it is personal and valuable. Consumers have every right to know if their data has been compromised, and this new legislation ensures businesses act responsibly with the data they hold.

“Cyber security is an ongoing challenge, and both industry and government must continue to build cyber security assets to prevent data breaches. The government has recognised that we have a shortage of appropriately skilled cyber security professionals and as the professional association for Australia’s ICT sector we have introduced new Certified Professional (Cyber Security) and Certified Technologist (Cyber Security) certifications to promote skilled cyber security practitioners to keep up with the demand for talent.”