After much delay and a little debate, Australia finally has operational Mandatory Data Breach Notification law. In case you have been living under a rock, as of February 22nd, most organisations are required to notify any individuals likely to be at risk of “serious harm” as a result of a data breach, together with the Privacy Commissioner.
However the new law is unlikely to move the needle on the volume and timeliness of reporting we can expect to see in the near term as most organisations are woefully underprepared.
The first organisations put to the test about a breach in the public arena need to know what they are doing about it, lest they appear unprepared. A data breach is a hot issue, if you don't know what you are doing it's going to get very hot, very fast!
So if you haven't already, ask the following questions:
- What would a serious cyber security incident cost our organisation?
- Who would benefit from having access to our information?
- What makes us secure against threats? Do we really understand the risks and controls specific to us?
- Is the behaviour of our team enabling a strong security culture?
- Do third parties have access to any of our data?
- Are we ready to respond to a cyber security incident?
- Do we have adequate cyber insurance in place?
If you haven't already developed a plan consider this - a strong incident response program includes the following components:
- Clearly defined roles and responsibilities within your team. Have all stakeholders been identified and trained on their responsibilities in the event of a cyber incident or breach?
- Technology. What information security detection, alerting and mitigating technology solutions are in use?
- Reporting. Has the organisation identified all of its obligations related to reporting an incident? Legal? Regulatory? Contractual? To shareholders?
The new legislation is a major change for organisations, many are not well prepared and have work to do. Reputation and brand is most at risk from a breach, be proactive and make sure yours is not one that gets cooked.
Get in touch if you want to discuss your business in the context of these important changes or stay across news on our dedicated cyber security webpage.
Many businesses are ‘protecting everything, protecting nothing’