The Notifiable Data Breach (NDB) Scheme
In October last year, almost 50,000 employee records from Australian Government agencies, banks and a utility were exposed and compromised because of a misconfigured cloud-based ‘Amazon S3 bucket’. AMP was reportedly one of the worst affected with 25,000 leaked employee records. ITNews reports that the data breach was discovered by a Polish researcher who conducted a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name. One contractor appears to be behind the breach.
In October 2016, the details of over half a million Red Cross blood donors were inadvertently exposed after a website contractor created an insecure data backup. In the US, a massive data breach exposed the credit records (including social security records) of over 145 million Americans – all because an IT worker didn’t open an email about a critical patch for their software.
Regardless of how good your existing systems are, data breaches are a reality either through human error, mischief, or simply because those looking for ways to disrupt are often one step ahead. But it’s not all about IT, there have been numerous cases of hard copy records being disposed of inappropriately, employees allowing viruses to penetrate servers after opening the wrong email, and sensitive data on USBs lost on the way home.
Who is covered by the data breach scheme?
The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act – that is, organisations with an annual turnover of $3 million or more. But, if your business is ‘related to’ another business covered by the Privacy Act, deals with health records (including gyms, child care centres, natural health providers, etc), or a credit provider etc., then your business is also affected (see the full list). Special responsibilities also exist for the handling of tax file numbers, credit information and information contained on the Personal Property Securities Register.
What you need to do
New data breach rules in effect from 22 February 2018 place an onus on business to protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
It’s important to keep in mind that complying with these new laws means more than notifying your database when something goes wrong. Organisations are required to take all reasonable steps to prevent a breach occurring in the first place, put in place the systems and procedures to identify and assess a breach, and issue a notification if a breach is likely to cause ‘serious harm’.