Last updated: 06 March 2019
The Australian Notifiable Data Breaches (NDB) scheme celebrated its first birthday recently on the 22nd of February.
The NDB requires “agencies and organisations regulated under the Australian Privacy Act 1988 (Privacy Act) to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach”.
In essence compliance with the NDB scheme encourages agencies and organisations to implement necessary measures to protect the sensitive information of individuals. However in reality, it looks like many have not done so given that there were a total of 812 data breaches (approx. 68 data breaches per month) declared to the OAIC on the first anniversary of the Notifiable Data Breaches scheme!
Just in the first 2 months of 2019 alone, we’ve already seen high profile data breaches affecting a real estate recruitment agency, a state government, a car maker and just this week, a healthcare provider! Clearly cyber criminals are not easing up, knowing that some agencies and organisations have not taken the right steps to prevent data breaches.
In the OAIC’s “Guide to securing personal information” encryption is suggested as “important in many circumstances to ensure that information is stored in a form that cannot be easily understood by unauthorised individuals or entities”.
Think about it. This makes a lot of sense because when you suffer a data breach you want to ensure that your lost/stolen encrypted sensitive data is worthless to cyber criminals without the decryption key. In other words, you want the breach to be secure.
So there are some things that organisations can do to prevent data breaches and comply with the NDB:
1. Identify a complete and accurate picture of where sensitive personal data resides
2. Minimise the number of locations housing sensitive data where possible
3. Protect data by leveraging encryption and encryption key management to establish data confidentiality and integrity
4. Control access to sensitive data eg use multi-factor authentication, policy controls to establishing strong dynamic credentials
Like to find out more about complying with NDB?