Mandatory Disclosure and Statutory Notification a wakeup call for Business – November 2017
Recent news articles have highlighted the seriousness with which the Federal Government is treating Data Breaches affecting Australian organisations.
This follows hot on the heels of the recent announcement that the Federal Government is planning to invest up to $140 m into an “industry led” cooperative research centre focussing on cybersecurity. https://www.itnews.com.au/news/govt-industry-invest-140m-for-cybersecurity-crc-473948
The government has just released a draft of the statement it expects organisations to file if they suffer a data breach after February 2018. Under laws passed last year, organisations will have to report a data breach as soon as practicable, including its severity, the type of breach (financials, government and tax details and other “sensitive” information), and the estimated harm to those impacted. The OAIC (Office of the Australian Information Commissioner) will collect and publish statistics in connection with the scheme, with a view to reviewing this approach 12 months after the scheme’s commencement. Comment on the draft statement is accepted until 23rd October this year. https://www.itnews.com.au/news/govt-reveals-data-breach-notification-format-474360?utm_source=mobile&utm_medium=linkedin&utm_campaign=share
AGC Networks Australia recently hosted a group of C-Level executives to discuss the upcoming requirements. Concerns that were identified relating to this new Legislation included:-
- What to do to comply with the new requirements
- The extent of the data they are expected to collect
- Defining “breach vs compromise” and what exactly constitutes “serious harm”
- Agreement that Cyber Security is not just an IT risk – it is a Business risk and a Board risk
In the end, the discussion group agreed that the following actions needed attention in the future:-
- While focus on the notification process is important, organisations need to focus on prevention in the first place….
- Contracts and Service Agreements need review in consideration of the legislation….
- Incident management plans are vital, but this is part of the cyber security strategy and prevention is still the first step…..
These recent initiatives underline the fact that cyber security is no longer associated only with military, government or large corporate targets. All organisations are at risk, and must proactively consider the security and privacy of their ICT services and the customer / supplier information they manage.
A crucial part of any organisation’s strategic plan MUST recognise the very real threat of cyber-attack, including prevention in the first instance, ongoing management and monitoring, and recovery once a legitimate breach has been identified.