Data breaches, such as ransomware and malware, are flooding the news. From large banks and hotels to universities and hospitals, it seems that our personal information, such as credit card information, is not safe as we would hope. There is no doubt that 2021 was a banner year for cybercriminals and hackers.
These malicious actors took advantage of the COVID-19 health pandemic and the considerable increase in remote work, attacking social and technical vulnerabilities.
You probably have many questions, such as how data breaches occur. What type of information is compromised? And what are the financial and other ramifications of such events? With a majority of the international workforce working from home away from the secure confines of a robust corporate network, 2021 was among the most active year for cyberattacks. A Check Point Research revealed that cyberattacks, such as phishing and DDoS, increased 50% year-over-year.
Although data compromise and exposure are becoming more frequent, not all data breach incidents are massive. As per a Risk Based Security’s midyear data breach report in 2019, only 8 big data breach incidents accounted for more than 78% of the total records exposed from the start of 2019 through June 30. This report clearly shows that cybersecurity threats and risks are more pressing concerns for large corporations and companies that handle huge volumes of data.
You may have heard of the Notifiable Data Breaches Scheme. It is a modern governmental legislation and is a key part of the Privacy Act. The scheme was introduced in February 2018. There is no doubt that significant reform to privacy laws or legislation in Australia and globally occurred in the past two years.
Considering that most information is transferred electronically, data transmission needs to be kept secure and confidential and not shared with unauthorized parties. Under the Australian Privacy Principles, companies and businesses dealing with confidential data have a legal obligation to contain and report any notifiable data breach (NDB).
What is the Notifiable Data Breaches Scheme?
The NDB Scheme is a new legislative requirement for organizations and businesses operating under the National Privacy Act 1988 to notify the Office of the Australian Information Commissioner (OAIC) about any individuals likely to be at risk of serious harm or damage by a data breach.
Remember that this notice includes recommendations and suggestions about the steps that individuals must take in response to the data breach.
You should know that organizations must be prepared to perform quick risk assessments of suspected breaches to determine and evaluate if they are likely to cause serious harm.
What’s a Data Breach?
We can define a data breach as unauthorized access or disclosure of personal information, such as email and credit card information. This means that ransomware or similar attack that encrypts data but does not exfiltrate it can constitute a reportable data breach.
Similar to the GDPR, Australia broadly deems personal data, such as email addresses, to be any information about an identified person or that can be reasonably associated with an individual.
Some examples of data breaches include when:
- A device or system containing customers’ personal information is either lost or stolen
- Personal information is advertently provided to the wrong individual
- A database containing confidential personal data is hacked
An intentional data breach may happen when a cybercriminal gains access to confidential client information via a social engineering attack or a former, disgruntled employee deliberately gains access to your systems.
On the other hand, an unintentional breach could happen when an employee logs into their official work account on a public computer system and accidentally leaves it open.
Did you know that 5,258 confirmed data breach incidents occurred in 16 different sectors and industries? This was stated in the Verizon 2021 Data Breach Investigations Report (DBIR), which carefully analyzed data from more than 29,300 incidents.
What’s a Notifiable Data Breach?
We can define a Notifiable Data Breach (NDB) as a data breach incident that will likely result in serious harm or damage to any individual to whom the information relates. It happens when a person’s data is leaked, lost, or accessed without authorization.
According to the latest OAIC Guidelines, a data breach incident occurs when:
- A business or company loses personal information, discloses it to any third party, or the information is susceptible to unauthorized access
- The disclosure, loss, or access causes serious harm
- The company is not able to reduce the serious harm
Note that if a data breach meets all 3 conditions, it is considered notifiable data by the OAIC. On the other hand, if no serious harm occurs and steps are swiftly implemented in order to minimize the harm, the data breach incident won’t be considered notifiable.
Where a business or organization becomes aware that there are one or more reasonable grounds to believe that an eligible data breach has happened, they are responsible for notifying parties at likely risk of serious harm as well as the Commissioner in a timely manner. This notification should set out the following:
- The identity and contact information of the organization
- A brief description of the breach
- The type of information concerned
- Recommendations and suggestions about the steps individuals should take to respond to the data breach
What’s Considered Serious Harm?
As discussed above, one of the requirements of a notifiable data breach involves serious harm. To determine whether a data breach will cause serious harm, it is important to apply an objective test. Keep in mind that this involves analyzing the circumstances around the data breach through the lens or perspective of a ‘reasonable person.
According to the OAIC, you have 30 business days to determine whether the data breach is seriously harmful or not.
Several variables are considered to make this determination:
- Is the harm reputational, psychological, financial, or physical?
- Is the disclosed or lost information sensitive?
- Which unauthorized individuals have managed to gain access to the information?
Wider Ramifications of a Notifiable Data Breach
The fall-out and consequences from a public data breach are not restricted to non-compliance fines. You should know that financial penalties may cause less disruption than the inevitable erosion of trust and confidence in your business. This could restrict future business expansion or revenue opportunities.
With changes in regulations, there has been a gradual trend away from finding organizations or businesses responsible to identifying individual executives and leaders within the organization. And negligence on the part of a person could lead to personal litigation.
How to Respond to a Data Breach
It is important for businesses to take the right precautions and measures to ensure they do not land in messy and challenging situations. However, things do not always go as planned and sometimes may be out of your control.
So, you should always mitigate the various risks from the start and have the right policies and procedures in place. This way, if things get complicated, your company will have a clear process for individuals to follow and minimize any risk of loss or damage.
Preventing a Data Breach in the First Place
There are several steps your business or company can take to keep a data breach from happening. Also, these steps can be applied if a notified data breach has already taken place to reduce its effects.
- You should get familiar with the Notifiable Data Breach Scheme. For example, you must be able to describe and explain what an eligible or identifiable data breach means and what are your reporting obligations should a data breach occur.
- Make sure that your staff has up-to-date and ongoing cybersecurity training. The training your staff and employees undertake should include how to identify various cybersecurity threats, such as phishing attacks.
- Change your passwords frequently, and ensure they are strong (lowercase and uppercase used, symbols used, and eight characters or over). You should also utilize two-factor authentication.
- Ensure that staff is given minimum access to files. This means that they should have permission to access what they need in order to get their job done.
- You should get a response plan ready that you can discuss and share with others in your business. This response plan should cover how to identify data breaches as well as how to report these breaches to the OAIC.
Data breaches can have severe consequences for businesses and individuals and should be taken seriously. Your business must follow the NDB scheme guidelines to contain and report data breaches. You should also have a data breach response plan in place that identifies steps or measures to report and remedy the situation and identify the people responsible for the task.