Notifiable Data Breach Scheme Event Recap
Two-Minute Takeaways from Maxsum’s Notifiable Data Breach Event.
Proudly hosted by Maxsum Consulting, and supported by SOPHOS, Rankin&Co. Business Lawyers (Melbourne) and RobertsonHyetts Solicitors (Bendigo).
Business owners and managers came together at Maxsum’s invitation at events staged across Bendigo and Melbourne over February and March this year to find what Australia’s Notifiable Data Breach (NDB) scheme now means for their data, security, reputation and business from now on.
The Notifiable Data Breach Scheme, which includes mandatory data breach reporting by businesses to the Office of the Australian Information Commissioner, came into effect on February 22, 2018.
The new scheme applies to all Australian government agencies, businesses and not-for-profits with an annual turnover of $3 million or more, and some small business operators that are private-sector health service providers, trade in personal information, handle tax file number information, and hold or manage other particular types of personal information.
Today’s Cyberthreat Landscape
At Maxsum’s Notifiable Data Breach event, we were joined by Ben Verschaeren from industry leader in cyber-security SOPHOS who briefed the room on the threat landscape businesses face today with a particular focus on two of the main vectors for cyber-attack and data breach, Phishing and Ransomware.
Ben’s message centered around building awareness within your organisation of the level of sophistication of today’s attacks, and that the odds of suffering a data breach via cyber-attack is much greater than many businesses assume. In fact, he explained, many of the attendees in the room may have already been breached and not even know it!
Legal Snapshot of the NDB Scheme
The second section in our Get #NDBReady events has included a legal snapshot of the NDB Scheme. In Bendigo, Anna Doughan and Tessa Mead from RobertsonHyetts Solicitors provided an overview of the NDB Scheme’s legal framework. They provided some much need clarity around definitions under the scheme and how they apply in terms of what constitutes an “eligible data breach”, a breach that results in “serious harm”, and the mitigation of risk through “remedial action”. Of particular interest were their recommendations for the steps to take when businesses have reason to “suspect” they have suffered a data breach, explaining that organisations covered by the NDB Scheme will need to carry out a three-stage assessment within 30 days to determine whether an eligible data breach has occurred and needs to be reported.
In Melbourne, attendees heard from Founder and Principal at Rankin&Co. Business Lawyers, Rob Roy Rankin about the importance of seeking dedicated legal and technology advice in conjunction to assess and understand what constitutes “an eligible data breach that results in serious harm” in the context of your industry vertical. He highlighted that while the requirements under the legislation have been left deliberately broad so as to ensure businesses start to exercise best practice around their data security, being able to take sound remedial action backed by legal advice and in line with a data breach response plan may mitigate the need for reporting, not to mention prevent reputation damage. Rob also made the important call for educating your team, as data breaches are often the result of human error, or even disgruntled employees.
At both events, the very timely advice to the room was for attendees to seek dedicated legal advice now at the inception of the scheme, to review the information management systems already in place, and update or develop a Data Breach Response Plan as a matter of priority.
What Got You Here, Won’t Get You There
Rounding out the presentations was Maxsum Managing Director Joe Ciancio, who spoke from a business technology perspective about what organisations will need to do to
- protect their data, assets, systems and reputations
- comply with this new and other future compliance regime changes, and
- ensure concrete policies, plans and procedures are in place for Disaster Recovery and Data Breach Response.
The focus of Maxsum’s presentation was that “what got you here, won’t get you there“, signifying the change in the onus of responsibility from the traditional “service provider” model of the past to an essential four-way partnership today between security vendors, legal consultants, business technology partners and the business.
Download Resources Now!
For more guidance and resources, visit the Australian Government Office of the Australian Information Commissioner at www.oaic.gov.au.
Data Privacy and Process Deal-Breakers
Two things you can rely on post-holiday season in Oz – Hot-cross buns hitting the supermarket shelves on Jan 2, and a stream of articles and posts telling us what our business priorities need to be for the year ahead.
Do You Understand the Phishing Threat
It’s the cycle of routine distraction and reaction – a modern-day feature of the way we work and go about our day-to-day business – which actually makes us and our people the weakest link in even the most robust cybersecurity setup.
Cybersecurity – How exposed is your business…and your board?
The recent surge in cybersecurity related crime targeting and disabling businesses around the globe has shown legislators that top-down privacy and protection oversight is a non-negotiable.
Maxsum is committed to building engagement across boardrooms, business and technology at the strategic level to #buildtheecosystem – for our clients, our partners, ourselves, and our community.