COVID19 Business readiness kit

Compliance, it’s like the practical, reliable Toyota Corolla first car for a teenager. When they’d much prefer something twice the price, that’s much cooler to look at. The flipside of the car they really want is the insurance premiums. Compliance, it’s practical, it’s somewhat boring, but it is your insurance against bigger penalties.

The Office of the Australian Information Commissioner (OAIC) has released it’s half-yearly notifiable data breaches (NDB) report, and despite COVID-19 changing how and where we work, data has remained consistent with the longer term trends.

What is a breach?

Under the NDB scheme, a data breach is an ’eligible data breach’ where:

  • There is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
  • A reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and;
  • The entity has not been able to prevent the likelihood of serious harm through remedial action.

In plain English, this means that personal information has been incorrectly shared (either accidentally or maliciously) with unauthorised people or organisations.

Industries impacted

Healthcare (22% of all breaches) and finance industries (14%) continue to be the most impacted industries concerning data breaches.

There is an assumption that because of the high levels of personal information these organisations hold, that they are more ‘profitable’ for cyber crooks to attack.

Recently the Garmin ransomware attack illustrated how, through a ransomware attack, millions of users could not access their own personal exercise and health related data for nearly five days.

NDBs received January - June 2020 (Top 5 industry sectors by notifications)

Let’s talk about compliance

A specific callout from the OAIC was around the compliance relating to notifications. As part of the NDB scheme, any business that suspects or discovers a breach must report it to the regulator, and also notify any individuals that may have been impacted by the breach.

There have been multiple instances of incomplete notifications of data breaches where entities may not have fully met their obligations with regard to the content of the notification to individuals affected by a data breach.

For example, while entities notified affected individuals that their email addresses were involved in a data breach, on some occasions they did not advise that other personal information was also involved. This included personal information contained as attachments to emails received and sent from the compromised account, or in the cloud storage associated with the account.

Multiple notifications failed to include recommendations about the steps that individuals should take in response to the breach.

In these cases, the OAIC required the entity to re-issue the notification to include all the kinds of personal information that was involved, and provide the practical advice required to help individuals reduce the risk of harm.

Compliance also pertains to the timeliness of your reporting and awareness of the data breach occurring.

Two factors affect the timeliness of notification: the time it takes for the entity to identify that the breach has occurred; and the time it takes the entity to complete its assessment of the breach and notify the OAIC and affected individuals.

Across the reporting period approximately 77% of notifying entities were able to identify a breach within 30 days of it occurring.

However, in 47 instances the entity took between 61 and 365 days to become aware that a data breach had occurred, while 14 entities took more than a year.

How quickly would you be aware that a breach had occurred within your organisation? Do you have a business continuity plan in place to remediate and address the breach?

Compliance within the NDB can have a financial cost in terms of fines applied, but there is also the material impact on your business in terms of downtime, reputation loss and the possible revenue loss that is associated with both of these.

As businesses continue to work remotely, and adapt their businesses to supporting this model longer term, the importance of building a robust IT management plan is even more relevant. At a minimum your IT management plan should cover:

  • Policy management
  • Change management
  • Staff training & process management
  • Cyber security
  • Reporting protocols
  • Disaster recovery (including agreed recovery times and points)

We can’t help you with your teenagers’ preference in cars, however, we can help you ensure that your IT management plan and reporting meets the regulations of your industry.

Making the investment in your IT management plan is the best proactive measure you can take to safeguard your business in the event of an incident, and avoid any financial penalties.