Notifiable Data Breach law takes effect
With Australia’s Notifiable Data Breach legislation now in force, what should healthcare organisations do to avoid a $1.8m fine?
Australia’s Notifiable Data Breach (NDB) legislation is now in effect, but many organisations remain unprepared to deal with the new mandatory reporting rules and will need to make wide-reaching changes to their security policies and practices.
The NDB scheme applies to all Australian Government agencies as well as all businesses and non-profit organisations governed by the Privacy Act.
These include all organisations with an annual turnover of more than $3 million, plus a number of smaller businesses including health service providers, businesses that buy or sell personal information, credit reporting bodies and government-contracted service providers.
Failure to comply with the new legislation will put companies at risk of fines of up to $1.8 million for organisations and $360,000 for individuals, which could be crippling to a smaller company.
Any data breach that involves the exposure of personal information likely to result in serious harm must be disclosed to both the Office of the Information Commissioner and to affected individuals.
The scheme also requires organisations to make a “reasonable and expeditious” assessment of any suspected data breaches within 30 days of becoming aware of a potential incident.
The impact of the scheme could be wide ranging — research from Forcepoint published last year found that more than 90% of ASX-listed businesses, government departments and large NGOs were exposed to a data breach in 2016.
Are you ready?
The NDB scheme passed the Senate in May after being introduced in 2016. The previous government had attempted to pass its own version of the scheme in 2013, but it failed to pass the Senate.
But while the NDB legislation has been a long time coming, many Australian healthcare organisations remain ill-prepared. Recent research from Canon Australia found that three in five businesses that will be governed by the new legislation are unaware of the scheme and what it means for them. This increases to four in five for small businesses.
A CyberArk survey from December found that 50% of organisations did not fully disclose data breaches to customers, 44% are only partly prepared to meet the guidance timings for a breach investigation and notification, and 41% of Australian business leaders report not having sufficient knowledge about security policies.
Similar research from law firm MinterEllison indicates that just 40% of Australian organisations have prepared for the NDB scheme by reviewing their policies, data breach response plans and security controls. In addition, only 54% of organisations have a cyber risk response plan in place, although uptake of cyber insurance has grown from 39% in 2016 to 62% in 2017.
“Our findings show that while most Australian organisations are well aware of cyber risk and the need to address it, much remains to be done to increase their resilience to meet requirements of the NDB Scheme,” said Paul Kallenbach, MinterEllison partner and head of cybersecurity.
“Our firm recommends organisations focus on understanding and documenting their data and information flows; prepare, test and update their incident response plans; and provide regular training to staff at all levels. It’s vital they do this, as cyber attacks are here to stay and pose a serious risk issue for government and business.”
Always be prepared
Splunk’s Simon Eid said that the scheme should serve as a reminder that healthcare organisations should constantly be reviewing their security infrastructure.
“Now is the time for the C-suite to consider whether they need to shift their approach to security within the business as a whole, in order to comply. By taking steps now to ensure data is secured and managed appropriately, organisations can decrease the likelihood of a data breach,” he said.
“Having access to and analysing all data is integral to detecting where a data breach may have occurred. The next step is implementing a clear data breach response plan so the right people can take steps to mitigate the situation, which includes notifying individuals whose data has been exposed.”
According to Centrify’s Niall King, a response plan should be guided by the answers to six questions, the first of which are who is responsible for the potential corporate impact of a data breach and who is responsible for preventing data breaches.
Other pertinent questions are whether passwords being used by employees are strong enough, what happens when IT security is breached, what happens to security credentials when an employee leaves a company and how prepared an organisation is for the NDB scheme.
Even those organisations that are making efforts to improve their security posture may be focused on the wrong areas. A survey from Fortinet indicates that poor security hygiene is the root cause of a substantial portion of data breaches, with respondents stating that 31% of breaches experienced in the last two years were the result of social engineering, ransomware and email phishing.
But only 15% of Australian IT decision-makers (ITDMs) ranked employee training as their top cybersecurity investment priority, and just 20% nominated implementing security policies and processes.
“The urgency to prioritise security hygiene, educate with broader awareness or implement security approaches that leverage automation, integration and strategic segmentation is critical to defend against the highly damaging internet attacks possible in our near future,” Fortinet’s Patrice Perche affirmed.
The role of culture and connection in improving Aboriginal health
Researchers are calling for a rethink of the health system's approach to closing the gap.
COP29: positioning health at the core of climate negotiations
The WHO is calling for an end to reliance on fossil fuels, instead advocating for people-centred...
Clinician burnout: evidence-based strategies to improve wellbeing
Recent surveys in Australia show clinician rates of burnout around 60% with higher rates in the...