Cover Feature Cyber Security
Now what? I have to notify the OAIC? A seven-step plan to keep OAIC at bay.
I By David Stafford-Gaffney
t is Monday 19th March and the day started like any other. On your way to the office, you stop at your regular café to grab your coffee, the barista looks at you and says, “large cappuccino?”, you nod, already tasting the coffee in the air, and as you ponder the day ahead, you take a brief moment to peruse the morning’s newspaper. Tucked away on the middle pages, a competitor’s name in the headline catches your eye. It immediately has your attention, you quickly scan it and you are not sure what to make of it. A rye smirk begins to form, just before you completely grasp the reality of the situation. Your competitor has had personally identifiable information, from one of their databases, made open to the public. You repeat the sentence in your head, as the gravity of the breach begins to take hold. You read further, they have had to report to the OAIC. But, who is that? You have never heard of them. They are now required to demonstrate the reasonable steps they took to contain the breach and articulate the steps taken to protect the information in the first place. Your gut begins to turn with that uncomfortable knot, that tells you, you have lost control over an element of the business and time is of the essence. However, where would you even start? It’s time to find out more about this OAIC… As you have probably guessed, the competitor has suffered an eligible data breach under the recently sanctioned amendment to the Privacy Act called the Notifiable Data Breaches legislation. Essentially, organisations that qualify under this amendment, due to go live on February 22nd, are required to notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach. This does not apply
44 | Australian Cyber Security Magazine
to my organisation, I hear you say, we are too small. The troublesome aspect of this legislation is that the net has been cast wide, in terms of those required to report on a breach. Let us break it down. The legislation contains a few key points that we need to look at in more detail: •
What is the size or type of the organisation that needs to comply? o Any organisation that must currently comply with the Privacy Act where: - The business or not for profit organisation has annual turnover of more than $3 million. - Private sector health service providers. - Credit reporting bodies. - Credit providers. - Entities that trade in personal information. - Tax File Number (TFN) recipients.
•
What exactly is an eligible data breach? o A data breach is considered eligible where the unauthorised access of information is likely to result in serious harm to an affected individual. What happens next? o The organisation must contain or remediate the unauthorised access or the vulnerability that caused it and then notify the affected individuals and the OAIC.
•
That is a lot to take in and hopefully by now you have finished your coffee so we can devise a plan to help your