The Dummy's Guide to the Notifiable Data Breaches (NDB) Scheme

In September 2017, Equifax stated in an official release that their company databases had been attacked, which affected personal information of more than 143 million Americans, and some British and Canadian customers. The intruders gained access to names, Social Security numbers, birth dates, driver’s licenses, and credit card numbers of more than 209,000 customers.

The breach quickly became a major headline all over the world. Equifax was criticized for the lack of data protection as well as the delay in notifying authorities to minimize further damages. Three weeks after the news broke, the CEO had to step down amid the public backlash and a mountain of class-action lawsuits.

The Equifax hacking scandal was a wake-up call for law enforcement and prompted world leaders to step up their efforts to protect personal data and privacy. Even though Australian citizens were not impacted by the Equifax scandal, the Office of the Australian Information Commissioner (OAIC) launched the Notifiable Data Breaches scheme in February 2018 as a fresh attempt to hold companies accountable to inform customers in case of harmful data breaches.

So what is the Notifiable Data Breaches (NDB) scheme and who is likely to be affected by it? Here is a quick guide to walk you through the basic concept of the law and how to prepare for it.

What Is the NDB Scheme?

The Notifiable Data Breaches (NDB) scheme is a part of Australia's Privacy Act that contains 13 principles, regarding entities’ obligations for the management of personal information.

In the most simple terms, the scheme requires companies to notify individuals and the Commissioner about data breaches that are "likely to cause serious harm."

What Is Meant by 'Serious Harm'?

According to the Data Breach Preparation and Response Guideline, 'serious harm' causes damages to an individual's physical or mental well-being, finances, or reputation.

Examples of harm include:

• Financial fraud including unauthorized credit card transactions or credit fraud
• Identity theft causing financial loss or emotional and psychological damage
• Domestic violence
• Any physical harm or intimidation

What Is Considered a Data Breach?

According to the NDB scheme, a data breach occurs when “personal information held by an entity is subject to unauthorized access or disclosure or is lost.”

Data breaches can occur for various reasons, such as:

• Devices (computers and storage media) or paper records that contain personal information are lost or stolen
• Unauthorized employees gain access to customers’ personal information
• Human error unintentionally discloses personal information to the wrong person
• Failure to recognize malicious actions by third parties, as a result of inadequate identity verification procedures

A Data Breach Is Considered Harmful… Now What?

The NDB scheme emphasizes that a data breach notification must be made when there are reasonable grounds to believe it would cause severe damages. In fact, if a remedial action successfully prevents a serious harm to individuals, you may not have to notify the Australian authorities.

Who Is Affected by the NDB Scheme?

The NDB scheme applies to all Australian Government agencies, businesses, and non-profit organizations that have an annual turnover of more than AU $3 million. Small businesses are not subject to the NDB scheme unless they provide health services or trade in personal information. Credit reporting bodies or credit providers and companies that hold tax file numbers are also among the affected entities.

When Do You Need to Inform Authorities About Data Breaches?

When a breach is identified, the organization has to implement a necessary assessment to determine the likely risk to individuals. In most cases when the organization's found the breach cannot be contained, it must inform the Office of the Australian Information Commissioner (OAIC) and all affected customers as soon as possible.

In some cases, breached organizations can decide to delay the notification or not inform the OAIC. Examples of those cases are:

• Eligible data breaches involve more than one entity
• Breached data contains sensitive and undisclosed information
• CEO has reason to believe that notifying individuals would likely jeopardize law enforcement or police-related activities
• OAIC Commissioner declares in writing that the entity does not have to comply with NDB scheme

How Much Time Does an Organization Have to Complete Their Assessment?

The NDB scheme states that all reasonable steps to complete the assessment must be done within 30 calendar days after a suspected eligible breach is acknowledged. Failure to turn in the assessment on time might be considered a breach of the NDB scheme.

What Is the Penalty If an Organization Fails to Comply with the NDB?

A penalty for failed compliance with the NDB scheme can be up to AU $2.1 million, depending on the significance and likely harm that may result from the data breach. The OAIC can seek a civil penalty order against the organization if it finds an inadequate attempt to report an eligible data breach on two or more separate occasions. Furthermore, loss of public trust and damage to company reputation are likely consequences when a breach is found.

When Does This Apply?

The NDB scheme took effect in February 2018.

What Does It Mean for Customers?

Overall, the launch of the new NDB scheme is good news for consumers. Similar to the EU General Data Protection Regulation (GDPR) or the Dutch Data Protection Authority (DPA), under the new NDB scheme, Australian citizens have the right to demand transparency and hold the organization fully responsible in case a breach occurs.

In the worst case scenario when you find yourself a victim of data breaches or identity theft, take these following steps immediately:

• Contact the authority
• Place a fraud alert on your account which requires lenders to contact you if someone tries to apply for credit
• Freeze your accounts

If you are a victim of the Equifax breach, you can follow the steps in this handy instruction here.

What Do the New Regulations Mean for Companies?

If you are handling sensitive data, you need to raise the security level. Simple as that.

The introduction of the NDB scheme and any other data protection laws indicates a fundamental shift in public perception toward a secure environment for personal privacy and data. And from the look of it, authorities are willing to take a hard stance against organizations who have histories of mishandling sensitive information. At times, you might find it much cheaper to have a proper security strategy in place, rather than risk facing the penalties.

But do not despair, making a comprehensive data security action plan is not rocket science. The primary goals are identifying the potential risks earlier, securing your data with software, and providing quick responses in case a harmful breach happens. Here are some tips:

1. Assess the risks

“Never assume your data is safe, even if it’s online,” said Jack Schofield, technology writer, and the inventor of Schofield's Three Laws Of Computing. When it comes to data protection, it’s better to be pessimistic. For example, an increasing number of U.S law firms started to implement some drastic tactic to prevent data breaches, including limiting file access to confidential information.

You don’t have to implement the same tactic as those organizations. The point of pessimistic approaches is to identify the risks early through thorough data assessment. Only by doing so, you can foresee probable loopholes in your system and then find the best solutions to fix them.

2. Comply with international data regulations

If you are a foreign organization who handles Australian information, you must comply with the NDB scheme. The same logic applies to Australian organizations who obtain foreigners’ data.

With the introduction of more and more privacy laws or data regulation laws, it will be difficult for organizations to stay out of the scope of the legislation. Instead of changing your security policies every time a new bill is introduced, you can take a proactive approach by integrating data security into the business culture and equipping your computers with adequate software.

3. Set up a comprehensive response plan

You should always have a response task force in place to facilitate swift responses and ensure that all obligations are met in case a data breach occurs.

The OAIC’s Data Breach Preparation and Response Guideline provides an excellent set of instructions to assemble and train a response task force.

4. Protect your data with security software

One of the most common mistakes people have when it comes to cybersecurity is that we tend to count on our instinct to make the right decision. Sadly, 28 percent of data breaches in 2017 were caused by human error, according to the Cost of Data Breach Study by the Ponemon Institute. On the other hand, the study also shows that the extensive use of encryption reduced cost by $16 per capita, from $141 to $125. 

If you are looking for an in-depth solution to protect your data from physical and virtual threats, Jetico’s Endpoint Data Protection is the answer. It is a comprehensive solution of whole disk encryption, encryptions for selected files and folders, and data wiping. The solution is explained as follows:

Whole disk encryption

Imagine your disk is your house, and your data are your belongings. The idea of whole disk encryption is basically the same as locking your front door.

To protect against intruders, you need to install a new lock on your front door. In term of computer protection, the 'lock' is equivalent to whole disk encryption. For ultimate security, you would want specialized tools which are more difficult to be forged. These tools can be provided by a  trusted provider, i.e. Jetico.

When it comes to whole disk encryption, Jetico's BestCrypt Volume Encryption is one of the best in the biz which guarantees both data security and customers' privacy. It uses the most advanced algorithms for disk encryption and has no backdoors whatsoever. You can find parts of the product's source code on the official website. On top of that, the product is in compliance with most of the regulations, including HIPAA, GDPR, and CPI.

File and folder encryption

Imagine you left the front door open and the intruders get into your house, what would be the best way to protect your most valuable assets?

Most people store their most valuable assets in a secret vault or a hidden place in case of unexpected break-ins. The same logic applies to your data. You need a secure container to store your sensitive data so that the intruders can't break into.

Using BestCrypt Container Encryption, you can create a protection layer (a vault) for your sensitive data and set a password that only you know to open it. BestCrypt Container Encryption also protects your files and folders in file hosting services, such as Dropbox or Google Drive.

Data Wiping

You want to move into a new place and want to sell your own house. But before listing it online, you must make sure that nothing’s left behind. You don’t want anyone to have your bank account details from the trash can, do you? And in the case of data wiping, everyone and their mom knows that emptying the trash is not a secure means for clearing data.

To permanently remove your unwanted data, you need a stronger tool. Acknowledged as a military standard wiping tool, BCWipe does a thorough cleanup and wipes selected data beyond any forensic recovery, even residual data aka data remanence. BCWipe is a pure and simple data wiping software for National Security, Compliance, and Personal Privacy. It is also the trusted product of the U.S Department of Defense for more than 10 years.

Where Do I Find More Information About the NDB Scheme?

All information about the NDB scheme can be found on the official website of the OAIC. You can also find useful practice and detailed instructions on how to comply with the NDB scheme in the Data Breach Preparation and Response Guideline.

Conclusion

Regarding the Equifax breach, security expert Bruce Schneier noted that thousands of data brokers are discreetly mishandling sensitive information and putting billions of customers’ data at risk of serious attacks. He also pointed out the inadequacy of the existing regulatory system in protecting customers’ rights.

It’s plain as day that we need stricter regulations to make organizations rethink their data security strategy. And though there are still concerns about the scope of new regulations such as the NDB scheme or GDPR, at least they are a step in the right direction in our fight against data breaches and violation of personal privacy.

​​​​​​Now more than ever, organizations who are handling customers’ data must have a robust infrastructure and data security solution. It is no longer a matter of whether or not you need to comply with the new regulations, it is now your responsibility to the customers to take cybersecurity seriously; for your customer’s sake.