Australia’s Notifiable Data Breach Scheme

Set against a landscape of what seems like inevitable data breaches, governments around the world continue to introduce new, tougher breach regulations. The latest in a series of emerging regulations sees the introduction of the Australian Notifiable Data Breach scheme.

In her article for ZDNet earlier this month, Asha McLean looks at the implications of the Notifiable Data Breach scheme and how it might affect both organisations and individuals.


Australia’s Notifiable Data Breach (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

You can read the original article here

The article summarises what constitutes a breach, how to determine “serious harm”, what the notification process is and what happens if you fail to disclose a breach.


Does the Notifiable Data Breach scheme go far enough?

Critics of the NDB scheme suggest it doesn’t go far enough. There are a number of organisations that are exempt from the NDB scheme and several circumstances under which organisations do not need to notify regulatory bodies of a breach.

The Privacy Act (of which the NDB scheme is a part) does not define what serious harm is, so the criteria for a qualifying breach is subject to a degree of interpretation. Finally, the penalties of non-compliance under the scheme are significantly lower than those in comparable regulations introduced in other parts of the world.

For instance. The NDB scheme makes provision for a maximum penalty of AUS$2.1milion, based on the severity of the breach and the degree of harm caused. The GDPR, coming into effect in the EU in May, empowers regulators to levy fines of AUS$30million or more.


Wider implications of a breach

The fall-out from a public data breach is not limited to non-compliance fines; nor is it limited to the organisation itself. Financial penalties can cause less disruption than the inevitable loss of trust or confidence in the business, which could restrict future business growth or revenue opportunities.

As regulations continue to evolve, there has been a trend away from finding organisations responsible, to identifying individual executives within the organisation. Negligence on the part of an individual could lead to personal litigation, even to the extent of a class action by individuals whose data has been compromised.


Prevention versus protection

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet. “The first thing any organisation should do is understand that data breaches are not always preventable”.

Mr Savvides is right. If the litany of data breach stories over the past five years has taught us anything, it is that data networks are vulnerable. Organisations have historically spent a disproportionate amount of money on attempting to prevent a breach; adopting a border-force strategy that is mistakenly seen as the last line of defence against cyber-criminals, negligence or old-fashioned user error.

In reality, if you cannot prevent a breach, the best option is to protect the data itself using high-assurance encryption. Only if the data is encrypted to a high-assurance standard can you ensure it is rendered meaningless in the hands of an unauthorised user.

Under emerging regulations, such as the GDPR and Australian NDB regulations, if a breach comprises securely encrypted data, it does not need to be disclosed. It is surprising then, that independent research continues to show that only 4% of the breaches recorded in the past five years have been of encrypted data.

Discover more about high-assurance encryption.

Senetas Logo
Senetas Logo