As the world prepares for the upcoming EU General Data Protection Regulation (GDPR), organisations in Australia have another cyber security law to focus on: the Privacy Amendment (Notifiable Data Breaches (NDB)) Act 2017.
The NDB, which comes into effect on 22 February 2018, requires organisations to alert the Australian Information Commissioner and all affected clients if they are hacked.
The law only applies to organisations that have a turnover of more than $3 million AUD.
The NDB is less complex than the GDPR, but it’s still a major challenge, and one that many organisations are failing to address. According to an HP study, only 51% of respondents said they had developed, or were in the process of developing, an IT security policy to comply with the Act.
Speaking to the ABC, Nigel Phair, director for Internet safety at the University of Canberra, says many Australian organisations could be caught out: “When you look at the organisations I talk to, they all think, ‘Well, we won’t get hacked so why would we put any investment or any effort into being prepared?’”
Small and medium-sized business are in the most danger, according to Phair. “The bigger you get, there is generally a more preparedness to invest in cyber security measures.
“Unfortunately the smaller you get, they don’t see the value proposition, and subsequently the reason to be prepared.”
Independent security researcher Troy Hunt criticised the fact that the law only applies to larger organisations. Any company, regardless of its size, should have to inform people if their personal information has been exposed to an unauthorised party, he said.
He added that the law also relies too heavily on the honour system. “There’s an expectation that this is only going to apply to organisations where the breach could result in serious harm to the affected individual.
“Now the challenge here is that whilst there is some criteria set forth about what might constitute harm, it’s still self-assessment.
“We come back to the point where if it’s my data, I would like to know if it’s been disclosed.”
Nonetheless, he concluded: “Even though it doesn’t go quite as far as we’d like, it’s a positive thing that we actually have something that organisations can now discuss at a board level because it’s enacted in law.
“If nothing else, the fact that this is in the news and it is something people are talking a lot about at the moment, that will hopefully be enough of a trigger for organisations to go, ‘Yeah, we’ve actually got to think about this more’.”
With regulators worldwide placing greater emphasis on information security, organisations and employees need to follow suit. ISO 27001 is the ideal place to start.
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS), and it provides the basis for managing data security using an integrated set of policies, procedures and technologies. Certifying to the Standard will help you comply with a host of laws, including the NDB and the GDPR.