The NDB Scheme: Australia's new cybersecurity rules

In today’s global online marketplace, businesses can find customers, manage workforces and accept payments more easily than ever before and that’s great news, as long as everything works smoothly.

Email, e-commerce and cloud storage platforms have become the foundation of day-to-day business activity, but they also create opportunities for infiltration and fraud by criminals. One of the most serious problems that companies face trading online, is the risk of valuable, sensitive information falling into the wrong hands.



What is the NDB Scheme?

When people transact with businesses online, they share a lot of information; identification data; credit card details; and personal documentation. All this data is a tempting prize for cybercriminals who want to exploit it to commit online fraud.

On February 22, the Australian Government’s Notifiable Data Breach (NDB) Scheme came into effect. Under the NDB Scheme companies that handle people’s personal data like bank account information, credit card details, medical records etc, are obliged to report data breaches to the Office of the Australian Information Commissioner (OAIC).

They must also directly inform people whose information is exposed so they have the best possible opportunity to protect themselves from adverse effects.

For the purposes of the NDB Scheme, the OAIC defines a data-breach as:

“Unauthorised access (of data) by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party... For example; a computer network is compromised by an external attacker resulting in personal information being accessed without authority...”

 

What sort of data does the NDB cover?

The broad terms of the NDB Scheme could be applied to almost any sort of data, from address lists in mobile phones to company HR records and customer credit card details stored on servers.

However, the criteria for mandatory notification under the scheme also says that ‘serious harm’ must be likely to occur as a result of the breach for it to come under the NDB rules.

There is some room for speculation about what qualifies as ‘serious harm,’ but the advice from the OAIC stipulates that it can include psychological and reputational damage as well as financial loss.

Although the NDB regulations include a lot of different data breach types, the OAIC specifies four categories that are ‘more likely to cause an individual serious harm if compromised.’ These high priority data categories are:

  • Sensitive information, such as information about an individual’s health
  • Medicare card; drivers licence; and passport details
  • Financial records
  • A combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about

The last item on the list above is particularly important because multiple data points on a single person can make identity theft and similar fraud attacks easier for cybercriminals.

 

NDB Scheme objectives

Legislators around the world are grappling with this question; how to steer the digital economy toward a more secure future?

The NDB Scheme aims to incentivise better cybersecurity practices in Australian companies and organisations. Rigorous cybersecurity is of the utmost importance in an increasingly connected, digital economy, and this new legislation intends to mandate security accountability standards across industries and government bodies.

Compliance with the NDB will give organisations clear parameters to measure their cybersecurity success nurturing trust with consumers and business partners through greater security transparency and standardisation.

 

Focus on big business

The NDB Scheme is designed to focus on medium to large businesses with annual revenues of more than $3 million.

Any company storing personal or financial data of individuals should take steps to comply with the NDB Scheme.

Small business operators are more or less excused from NDB compliance but there is a quite extensive list of exceptions to this general rule. Small business owners who are unsure about their responsibilities can check the compliance rules on the OAIC website: www.oaic.gov.au.

 

NDB: take action

Basic NDB compliance can be summarised in 3 steps:

  • Data audit
  • Risk assessment
  • Cybersecurity implementation

 

Data audit

The first step toward NDB Scheme compliance is knowing what data a company is collecting and how it is stored.

A comprehensive data audit is fundamental to compliance because a company needs to establish what information they handle that could come under the purview of the NDB.

The NDB Scheme is very inclusive in its scope, so a data audit should look at all platforms, device types and departments. A comprehensive data audit should look at all types of assets stored in all formats, across every kind of platform including:

  • Databases
  • CRM platforms
  • POS purchase information
  • Online shopping records
  • Marketing lists
  • Social media contacts
  • Excel spreadsheet records
  • Company data held by contractors and other third parties

 

Risk assessment

Once a data audit has established a clear picture of how a company’s data management works, the next step is to make a risk assessment:

  • Who is responsible for the company’s cybersecurity management?
  • What cyber-threats could the company face?
  • Where are the security weak-points in the technology infrastructure?
  • Does the company have effective cybersecurity measures in place?
  • What security software is deployed?
  • Does the company have education programs in place to minimise human security vulnerabilities?
  • What events or signs would indicate that data storage was compromised?
  • What is the company’s responsibility to third parties whose data they handle?

 

Cybersecurity implementation

The AOIC stipulates procedures for assessment and reporting of notifiable breaches but it’s important to consider the overarching question the NDB Scheme raises:
are companies taking proactive steps to prevent data breaches?

High priority data-security action:

  • Use strong passwords and 2-factor authentication
  • Provide cybersecurity education to your staff
  • Get professional advice on how to strengthen your company’s security
  • Make sure you have solid data backup and recovery procedures in place
  • Implement local and cloud-based cybersecurity protection

Initiating greater accountability and transparency in data management is only half of the formula for NDB preparation. If a company suffers a ‘serious data breach,’ their compliance responsibilities to the OAIC will only be one of their problems.

Businesses are losing millions of dollars to cyber-attacks that could have been prevented. Cybersecurity is seen as an IT issue; a lot of CEOs imagine that their IT department will take care of it but it just isn’t that simple anymore. Good cyber-security policy requires the involvement of all levels of management and a commitment to educating every member of a team.

Next steps:

To learn more about the NDB, check out our Security Webinar: The rise of cybercrime.

Re-posted with permission from Mailguard