Preparing for Mandatory Notifiable Data Breach Legislation Part 1

Both Australia’s Mandatory Notifiable Data Breach legislation and the EU’s GDPR are shining a spotlight on state-of-the-art data security technoloies and strategies to help Australian organisations stay strong in an increasingly digitized world.

The continuing digitisation and globalisation of our economy is becoming increasingly reliant on the control and processing of personal data. While this presents enormous opportunities for business, it accompanies a growing public awareness and concern for the importance of personal data protection.

According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), five percent of Australians, in other words almost one million people, were exposed to a breach of their private information in 2016, bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.

In another survey[1] the Australian Bureau of Statistics found that around 6.4% of the Australian population aged 15 years and over reported being victims of identity fraud[2] in 2014-15. This makes identity crime more common than any other form of personal and household theft-related crimes. But the potential for damage goes wider than just personal data loss through identity theft and crime. Data breaches undermine trust in the local and global digital economy.

Both Australia’s impending Mandatory Notifiable Data Breach notification law (NDB), which comes into effect in February 2018, and the European Union’s General Data Protection Regulation (GDPR), due in May 2018, are a response to these concerns. With stringent criteria, obligations, and considerable non-compliance penalties, both the effort of attaining compliance and the risks associated with non-compliance will undoubtedly increase with both NDB and GDPR. The implications may necessitate changes that encompass data processing workflows, organisational structure, business processes, and ultimately, information and security technologies.

For some organisations, this will present an opportunity to streamline operations, eradicate unnecessary data collection and limit processing to only that which is essential to core business goals. Either way, however, the transition to compliance is likely to be a significant undertaking.

The biggest challenge organisations are facing is how to start the process in order to understand their risk. Here are some quick tips to get you started.

1. Risk Assessment and Remediation – know where you are vulnerable and determine your priorities in order to establish which is the most critical to address first
2.  Visibility – Ensure that you have access to real-time threat intelligence , combined with threat intelligence gathered from within your network, which can be quickly and seamlessly consumed by your Advanced Threat Protection solutions.
3. Audit – Inventory and assess all your IT assets to search for security gaps. For example, is there software that needs a patch update? We saw from the Wannacry threat how important good security hygiene is.
4. Logging Decisions and Monitoring – to determine and provide detailed information on what is happening on your network in real time.

Want to know more about the data breach notification laws and how to best negotiate them? Visit Fortinet’s Data Breach Notification page for whitepapers and other resources to help you turn this new legislation into greater organisational support for cybersecurity.