Understanding the Mandatory Breach laws: what your business needs to know

Understanding the Mandatory Breach Notification scheme: what your business needs to know

Privacy breaches can no longer be hidden from the public now that the Australian Government has introduced the Notifiable Data Breaches scheme under the Privacy Amendment Act 2017. Effective as of 22 February 2018, it has big impacts on big business, so if you’re not across it yet, you could be at risk.

Firstly, a bit about the Notifiable Data Breaches scheme

The crux of the scheme means businesses with a turnover of $3million or more are required to notify individuals whose personal information has been involved in a data breach that’s likely to result in serious harm. Not solely for private enterprise, the scheme additionally applies to government bodies, covering incidents such as the Medicare breach, as well as to non-for-profit organisations, credit reporting bodies, health service providers, some TFN recipients and more.

To qualify for a public notification, a breach needs to result in:

  • Unauthorised access to personal information
  • Unauthorised disclosure
  • Loss of data - either accidentally or inadvertently
From there, it needs to be determined if the breach can cause serious harm. If indeed it is found to fit the above criteria, the individual and the Commissioner need to be notified as soon as possible.

To get more insight into the breach laws and understand how to give your employees some basic tips to protect your company data, we spoke with Mark Gorrie, Director Norton Business Unit, Pacific Region. In this piece, and referencing Norton’s latest Cyber Security Insights Report, Mark discusses how individuals can tighten up their own security habits, both at home and in the workplace, to reduce the risk of falling victim to a privacy breach or any kind of cybercrime.

Is the Notifiable Data Breaches scheme a good thing?

Norton’s Mr Gorrie says it is. “Globally we’re in favour of data breach notification laws because they provide transparency to consumers,” he says. “If personal information has been leaked, it gives the individual the opportunity to rectify the issue. For example, they can change their password or they can get the card cancelled. These notifications will help people to protect themselves.”

Mr Gorrie also explains that the new scheme will result in businesses needing to be proactive in their approach to data security. This means, in the long run, their brands will be subject to far less damage than if a privacy breach was to occur. In essence, it’s a win-win for individuals and business.

How individuals and employees can help reduce the chance of a privacy breach at home and work

Late last month, Norton released their annual Norton Cyber Security Insights Report that surveyed more than 20,000 individuals about their online security habits. The report found in 2017, more than 6,000,000 Australian consumers were victims of cybercrime, resulting in a total loss of $2.3 billion. Norton’s research discovered that tech-savvy millennials were particularly guilty of poor online security habits. Despite owning the most devices and adopting security practices such as pattern matching, face recognition, VPN, voice ID and two-factor authentication, nearly one in four (24 percent) of millennials surveyed use the same password for all accounts. According to Norton, this is a worrying statistic, with passwords remaining the most common, and often the only method of device protection for Australians. In comparison, 72 percent of seniors use different passwords.

Armed with this information about Australian individual’s lack of online security habits, Norton’s Mr Gorrie shares five helpful tips to help reduce the likelihood of individuals and staff falling victim to cybercrime and opening your business up to a potential privacy breach.

1. Take email seriously and check the authenticity

“Emails are a massive attack vector, if anything they’ve grown,” says Mr Gorrie. Anyone using email, whether it’s at home or work, needs to be suspicious of attachments and links. If ever you’re unsure, do not open or click on the unknown attachments.

Common instances of suspicious emails you might see include ones that look completely legitimate - especially when it comes to phishing attacks. Mr Gorrie gives the example of a cricket club where the club president’s email account was compromised, which led to an email being sent to the treasurer to transfer funds. The funds were transferred and the club lost out.  

2. Passwords need to be complex, including both numbers and letters

While passwords might seem basic, Norton Cyber Security Insights Report showed individuals still had a long way to come when it came to using them effectively. Passwords, at home and work, need to be more elaborate: at least 10 characters long and always with an unguessable combination of numbers and letters. “The longer it is, the harder it is to hack. Don’t use the same password on multiple accounts, because if one gets hacked, the rest become vulnerable,” says Mr Gorrie. And of course, don’t share your passwords.

Remembering multiple passwords can be really challenging so using a password manager such as Norton Identity Safe, which uses high level encryption. It is a convenient and much more practical option to reduce the chance of falling victim to cybercrime that could result in a data breach.

3. Update software and devices regularly

Hardware and software companies regularly send out updates for their products. And while it might be tempting for your employees to keep clicking the “remind me tomorrow” notification that seems to pop up every other day, it’s putting their devices at risk and leaving your business vulnerable to attack.

The same goes for your online security software - it needs to have automatic updates on so all new vulnerabilities can be plugged before it’s too late. Interestingly, Norton customers were protected from the WannaCry ransomware outbreak (and many other notorious ransomware and cyber security issues) because they had already plugged the vulnerability before it hit the masses.

4. Use comprehensive security software that will actually protect systems

The age-old saying you get what you pay for is true in this sense. While it might be tempting to grab freeware security software, they’re basic. Mr Gorrie suggests going for a multilayered approach when in the market for security software, saying the antivirus focus should only be about 20% of the software. “Most detections happen at the network layer,” he says. “More than half our detections happen at that layer which means they don't get on your device and execute.” He also strongly recommends investing in security software that has a reputation and a large footprint. “The more devices and computers connected and feeding information back to that security company’s network, results in new and suspicious threats being found and shut down faster,” he says.

5. Back up your data via the cloud - not USB or portable hard drives

Backing up your data through a reputable cloud company such as Amazon or Google Cloud enables you to have access to clean files whenever you need them, even in the event of a cyber attack or data breach. These cloud companies do a lot of the heavy lifting in terms of security, such as making sure there are no holes in their systems and doing security sweeps to ensure their infrastructure is robust and resistant to attack. Plus, as an added bonus, your files are safe in the event of fire, flood or theft.

When we look specifically at business over the individual, Mr Gorrie says it really becomes a matter of processes. “You should have a process which enforces password changes, for starters,” he says. “Processes are important because they will reduce your risk of a data breach. Another important process is how businesses enable access to data on work devices and personal devices. A data breach can be as simple as someone copying data onto a USB and leaving it on a bus.”

Keeping your company’s data safe to reduce the risk of a privacy breach should always have been front of mind, but now, with the new notification scheme, it’s even more paramount to take proactive steps to reduce the likelihood of a breach. If you want to learn more about ways to protect your company’s data online, come see International Keynote Symantec CEO, Greg Clark, present about Identifying and minimising enterprise vulnerability to cyber attacks at The CeBIT Cyber Security Conference.

New Call-to-action