Several years ago, JDS received a fax. This was unusual for two reasons: firstly, it was a fax in the 21st century; secondly, it was an authorisation for payment of 60 million dollars from a large market fund. The fax was from a broker, who was merely confirming 'our' bank account details before sending through the transfer—if JDS were in the business of heists, it would have been a matter of changing a digit or two, then faxing the form back for payment.
As you can tell by the fact JDS haven't converted downtown Melbourne into a tropical beach, no such skullduggery transpired: instead, JDS MD John Bearsley called the broker and explained that he might have the wrong fax number on file. The broker was a bit shocked, to say the least. But what about the client? Did they ever find out?
Under Australia's new mandatory data security notification laws, applicable from 22 February 2018, the broker would have been forced to notify the client and the Office of the Australian Information Commissioner (OAIC) of the information breach. This is because, through a simple mix-up, we gained access to personal and private information about the fax's intended recipient, and the breach could have had serious consequences. Under the new requirements, data security breaches are to be dealt with as follows:
- Contain the breach and assess
- Evaluate risks or individuals associated with the breach
- Consider whether there is need for notification
- Review and take action to prevent further breaches
The difference between this new schema and any internal risk or incident management procedure lies in the role of compulsory reporting. If there is real risk of serious harm, then the individuals involved, and potentially the police as well as the OAIC, must be notified. This notification is to include the scope of the breach, and information regarding containment of the breach and action taken to prevent further breaches.
So what construes 'serious harm'? This relates to the type of information, information sensitivity, whether the information is protected, if the information can be used in combination with other information to cause harm, the attributes of the person or body who now hold the information, and the nature of the harm. It ties into existing Australian privacy and information security legislation, and has particular relevance for organisations that hold databases of information, particularly personal or sensitive information, about their customers or users. Consider the following IT security-related disasters that have come to light, noting that a number are based in the US, where compulsory reporting is already in effect:
The above breaches cover a wide scope of industries—from health to insurance, government, and education. They have led to wide-ranging financial and reputational damage.
It would be naive to think that similar data breaches don't take place in Australia, though at the moment, it is not compulsory to report them. In 2015–2016, 107 organisations voluntarily notified the OAIC of breaches, and we are likely to see a rise in this number once the new legislation kicks in.
What does this mean for your organisation?
If your organisation deals with sensitive or personal information, including data such as emails, passwords, addresses, birth dates, health records, education records, passport numbers, ID numbers, travel information etc., then you need to prepare for the upcoming legislation. Part of this will be ensuring you have the correct policies, procedures, and training in place—and the other part will be making sure your environment is protected. The security of your IT infrastructure has always been, and will continue to be, vital: but now, there is an increased risk to your organisation, financially and particularly reputationally, if you do not ensure your environment is as secure as possible before mandatory reporting comes in. Test and assess your infrastructure and applications now, rather than down the line following a reportable incident.
For advice or to book an assessment, call our friendly JDS consultants today.