updated
February 15, 2018

5 things MSPs can expect from Data Breach Laws

  1. More Publicity. Stories of previous Data Breaches in Australia (globally) have increased in number in the last 6 months. Prior to being held legally accountable, it is possible several large companies or "entities" started the reporting and notification process prior to the Notifable Data Breaches Act ( NDB; commencing 22nd February, 2018) and the General Data Protection Regulation(s) (GDPR; commencing 25th May, 2018) both coming into effect.

    Entities who report to the Office of the Australian Information Commissioner (OAIC) accept the OAIC will publicly refer to the undertaking or investigation, and an investigation report detailing the incident unless they exempted from this under the NDB Act.
  2. Updated Terms and Conditions, Privacy Policies. The NDB Act brings in a new and comprehensive set of updated Privacy Principles. These 13 principles will strictly govern the collection, use and transfer of information by entities for sales and marketing purposes.

    These principles require greater awareness and accountability of entities who control data as a service (for clients), this includes employee data (e.g. TFN / VAT, Bank Accounts, Contact Details or any medical information). The transfer of personal information without consent - e.g. client email list - will mean both entities, the sender and recipient will be subject to the NDB Act and its penalties in the event of a notifiable breach of that data.

    In the I.T. and Information Security industries particularly, MSPs can take steps to navigate this legislation. This includes updating Terms and Conditions, and advising clients of the resposibility to report a notifiable data breach. The OAIC recommends the party with the most direct relationship to the people affected, is to be the one to report any notifiable data breach and notify the affected people. For more information on reporting - read more here.
  3.  Quicker "Remedial Action". Entities can avoid a legal penalty if they can take "remedial action" to prevent serious harm to end clients. With this in mind, it is clear that entities need to focus on bringing down the number of days it takes to identify a breach, so each can be efficiently investigated and contained.
  4. Clearing the Grey Area. For Australian entities, there are forseeable 'grey areas' around "reasonable grounds" to suspect a data breach and "notification as soon as practiciable" after a data breach has been identified. Any ambiguities will cleared (initially) on a case-by-case basis after the legislation commences.

    By contrast, the EU's GDPR sets a strict 72 hours after the Data Breach has been identified for an entity to report a "Personal Data Breach" Eventually, the Australian legislation will require an amendment for more effective enforcement in the future.
  5. Better Data. The reporting of data breaches will improve the availability of accurate data relating to Australian data breaches and their causes, particularly in the health and financial industries. Currently, the Australian Bureau of Statistics provides a small sample of data relating to Cloud and Information Technology. Also, the Australian Competition and Consumer Commission (ACCC) provide detailed monthly 'Scam Watch' statistics from Malware (and other causes) and the economic impact.

    As the knowledge of data breaches become more public, reporting processes both internally and to the OAIC will improve. With better data available, entities can work more actively to prevent unauthorised data breaches.

Please Note: the above article is not intended to replace legal advice. Please contact the governing body, the Office of the Australian Commissioner for specific advice on how the NDB relates to your business.