Australia’s new data breach notification law is really about IT security not just disclosure – don’t get distracted.
In February 2018 Australia’s new data breach notification law comes into effect.
If you missed the announcement, here’s a quick summary.
Organisations already covered by the Privacy Act will have a legal obligation to notify the Federal Government and the impacted parties of any data breach. Failing to do so can result in fines of up to $360,000 for individuals and $1.8 million for organisations.
The new data breach notification law describes a breach as unauthorised access or disclosure of customer information which generates a real risk of harm to the individuals concerned. The kind of information that is deemed to be potentially harmful is fairly obvious and includes credit card details, personal contact details, credit history, health records, bank accounts and tax information.
While there’s been plenty of discussion about whether or not the new data breach notification law is good, bad, effective or ineffective there hasn’t been quite as much discussion about what organisations need to do to avoid a breach in the first place. That’s really the inferred point of this new legislation.
It’s no surprise then that the best advice is, ‘Don’t make it easy for a breach to occur in the first place.’
The fact is, all organisations are being constantly menaced by a wide spectrum of cyber criminals on a daily basis and only the most naïve have poor IT security.
That said, the advent of the new law does mean extra focus needs to be brought to bear to avoid embarrassing mistakes that could lead to costly fines – even for organisations that already do a reasonable job on IT security.
The big question is, How much security is enough?
This has always been a good question when focusing on IT security because not every business needs to protect themselves like a military spy agency.
The short answer is that how much money, time and effort you put into IT security really depends on what you’re trying to protect and what will happen if that information is lost, stolen or corrupted.
Not all information is of equal value. It’s probably not going to make sense to introduce biometric scanners at a primary school computer lab.
Even so, if your organisation falls under the auspices of the new law, you definitely need to make sure all of the security gaps and holes that might exist in your organisation are closed properly and the right monitoring and reporting tools are in place to detect breaches. (And frankly, even if your organisation is unaffected by the legislation you should close those holes anyway because they are probably being exploited).
This might be accomplished with a range of off-the-shelf technologies and revamped business processes to ensure better security practices, but increasingly organisations turn to Managed Security Service Providers (MSSPs) who protect organisations from the outside.
The benefit of a Managed Service Provider, like our company, First Focus, are several.
- We focus on IT management and IT security for a living so we have to be up to speed, all the time about new threats and technologies that mitigate them
- We work across a variety of IT environments and know how to manage and protect them.
- We use sophisticated tools to actively monitor and manage networks, servers, devices and security around the clock, with both manual and automated responses to threats or critical events. Most organisations just can’t afford to buy or run these kinds of tools or maintain around the clock teams.
- We offer expertise and experience that is hard to find and fund within most organisations, and our teams scale as required to meet customer requirements.
- We can harden your IT security quickly by diverting your network traffic through our hosted security infrastructure.
If you are just getting considering how Australia’s new data breach notification law might impact your organisation and know you need to implement better security practices then consider the role an MSSP like First Focus could play in mitigating risk and helping you comply with your new obligations.