From February 22, 2018, all organisations that use mobile devices for work, accrue $3million or more in revenue and operate within Australia, are obligated to comply with the new National Data Breach (NDB) legislation.
The scheme applies to any agency and organisation that the Privacy Act requires to secure certain types of information, including Government Agencies, businesses, and not-for-profit organisations.
Your obligations regarding NBD
Under the scheme, organisations are obligated to "notify individuals whose personal information is involved in a data breach that is likely to result in serious harm". Organisations must also notify The Australian Information Commissioner of any eligible breaches. Under these new laws, organisations must notify authorities within thirty days of a breach occurring, and all organisations are required to have an early warning system for all endpoints handling PII. Employee credentials are considered personal information under the new legislation, and any breaches regarding them must be reported.
The fine for failure to comply to the new NDB legislations is $360,000 for individuals and $2.1million for organisations. Mobile devices, such as smartphones and tablets, are covered in the new law, as they are responsible for handling a significant amount of corporate data and are commonly associated with the personal information of Australian individuals. With these devices being used both for work and personal access, a data breach could compromise both an individuals and an organisation’s security. This is why the new NDB legislation stipulates that access to customer records be restricted on mobile, and nothing should be stored locally on the device.
NDB for Mobility
As enterprises continue to empower their workforce with Mobile technology, and look for increased productivity outside the workplace, they face an increased risk of a data breach. Each mobile device represents a potential back door into the corporate network. Companies need to understand that:
- The mobile landscape is diverse, and not all threats are the same
- Protection against threats must cover multiple access levels, including device, app, network, and content protection
- Security begins with knowing who is accessing the network, what devices they have, what plans they have, what applications they are using to access corporate data
- Real-time monitoring is an essential part of security – including understanding when software is updated, what content is live, and what is being uploaded and downloaded
Enterprise NBD Strategy
Compliance rest squarely on business leaders with NDB, and businesses need to understand their risk exposure. This includes acknowledging that company devices are used for personal reasons after work hours and policies must be in place to ensure the safety of corporate data.
An informed NDB strategy is the best one. Companies can improve their visibility by:
- Developing risk management strategies regarding what is at risk, where the risk is, how a breach might occur, and what to do in the event of a breach.
- Updating and enforcing policies to ensure up-to-date and adequate measures are in place that not only protects the company, but ensure it is fully compliant with NDB legislation.
- Enabling active data monitoring to understand where data is transmitted and have real-time insight in the event of a breach
- Monitor the apps and services associated with their mobile fleet and engage with risk-based reporting for quick assessment of potential data breaches
Companies need to do to prepare for the new legislation and information can be found here. If you are uncertain about how the new NDB legislation applies to you and your business, reach out to an imei consultant today. Do not leave it too late – find out now if you are compliant.
References:
Notifiable Data Breach Scheme: Office of the Australian Information Comissioner