Reporting Cyber-Attacks Under the Notifiable Data Breaches Scheme: When, How, and Why

When cyber incidents occur, the aftermath isn’t just a matter of technical clean-up; it’s a maze of legal obligations and ethical considerations. Among the key questions that arise is whether Australian businesses are mandated to disclose these cyber-attacks. 

The response is shaped significantly by the Notifiable Data Breaches Scheme, a legislation designed to govern the reporting of particular cyber incidents.

But how does this legal framework affect your business? Do you risk non-disclosure penalties if you don’t report an incident to the scheme?

Cyber Incidents: What Are They?

A cyber incident is any event that compromises the confidentiality, integrity, or availability of digital information or business operations. This could range from an employee inadvertently clicking on a malicious email link that exposes the business to a phishing attack, to more complex scenarios involving ransomware or sophisticated malware infiltrating company networks. 

These incidents are more than disruptive; they can lead to significant data loss, financial strain, and erosion of customer trust. The reality of cyber-attacks for most businesses stem from simple human error or overlooked security updates. 

Recognising and understanding these incidents in their various forms is the first step towards effective management and prevention.

The Notifiable Data Breaches Scheme

Enacted as part of the Privacy Act 1988, the NDB Scheme mandates that Australian businesses and organisations take responsibility for protecting personal information they hold. More importantly, it requires them to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach occurs that is likely to result in serious harm.

By making breach notification a legal requirement, the scheme aims to ensure that individuals are informed and can take protective action when their personal information is compromised. This, in turn, strengthens public trust in the digital economy and reinforces the importance of data security within the business ecosystem.

Business Obligations Under the NDB Scheme: How to Report a Cyber-Attack

For businesses subject to the NDB Scheme, the obligations are clear, yet they require careful attention to detail. A data breach becomes notifiable if there are reasonable grounds to believe that the breach could result in serious harm to any individual affected. This serious harm isn’t limited to financial loss; it can encompass emotional, psychological, or even reputational damage.

When assessing a potential breach, businesses must consider the nature and sensitivity of the information involved, the likelihood of malicious use, and the identity and motives of the unauthorised access or disclosure party. 

If a breach is deemed notifiable, the entity must promptly undertake the following steps:

1. Assess the Incident

Conduct a swift and thorough investigation to ascertain the breach’s scope and the risk of harm to affected individuals. This assessment should be completed within 30 days of the breach being identified.

2. Notify Affected Individuals

Inform those impacted by the breach in a clear, concise, and timely manner. This notification should include recommendations on the steps individuals can take to protect themselves from potential harm.

3. Report to the OAIC

Submit a statement to the Australian Information Commissioner detailing the breach, the personal information involved, the likely consequences, and the steps taken or proposed to address the situation.

Regulatory Compliance: What Australian Businesses Should Know

Data privacy laws, regulations, and industry standards can be tricky and complex to wade through, but complying with the NDB scheme is a legal formality; risking noncompliance in the event of a cyber-attack could lead to drastic consequences. 

Key NDB scheme compliance considerations:

  • Scope of Application: The NDB Scheme applies to all Australian businesses and organisations covered by the Privacy Act 1988. This includes both large corporations and SMBs, particularly those handling sensitive customer information like health records or financial details.

  • Preparedness: Have a clear response plan in place for potential data breaches. This includes designated roles and responsibilities for assessing and responding to incidents.

  • Timely Response: Time is of the essence when dealing with data breaches. Assess the situation and respond appropriately within a strict time frame, typically 30 days from when the breach was discovered.

  • Clear Communication: When notifying affected individuals and the OAIC, clarity and transparency are crucial. Notifications should include what happened, the type of information involved, the possible consequences, and steps individuals can take to mitigate potential harm.

  • Documentation: Keeping detailed records of data breaches and the response process is a requirement for future reference and learning under the NDB Scheme.

NDB Scheme: Exceptions and Exemptions

While the NDB Scheme sets a broad framework for data breach notifications, there are notable exceptions and exemptions that some cyber incidents may fall into. However, It’s important to note that these exemptions do not alleviate the fundamental responsibility to protect personal information. Even if a specific breach may not require notification under the NDB Scheme, businesses should still take appropriate measures to secure their data and prevent future incidents.

  • De-identified Information: If the data involved in the breach is de-identified effectively, such that individuals cannot be reasonably identified, the breach may not be notifiable.

  • Data Held by SMBs: Some small businesses with an annual turnover of $3 million or less, depending on their activities and the nature of the data they handle, might be exempt from the NDB Scheme.

  • Law Enforcement Activities: There are exceptions for data breaches that relate to certain law enforcement or national security activities. Disclosing these breaches might compromise these activities.

  • Inconsistency with Other Laws: If notifying individuals about a data breach would be inconsistent with the secrecy provisions of other Australian laws, the obligation to notify may not apply.

Nondisclosure: Stay Silent and Risk the Consequences

Choosing not to disclose a data breach, particularly when it falls under the criteria of the NDB Scheme, can have far-reaching consequences. Beyond the immediate legal penalties, which can be substantial, the long-term effects on a business’s reputation and customer trust can be even more detrimental.

  • Legal Repercussions: Non-compliance with the NDB Scheme can attract significant fines from regulatory bodies. These are a public indicator of a business’s failure to protect consumer data, which can lead to heightened scrutiny.

  • Loss of Customer Trust: Perhaps more damaging is the erosion of trust between a business and its customers. Trust is a crucial currency, and once lost, it may not be regained.

  • Business Continuity Risks: Non-disclosure can also lead to more severe cyber security threats in the future. Without proper reporting and analysis, the root causes of breaches might not be addressed, leaving businesses vulnerable to repeat incidents.

  • Reputational Damage: News of data breaches tend to spread rapidly, and the perceived negligence in handling such breaches can tarnish a brand’s image long-term.

Cyber Security Solutions to Prevent Against Data Breaches

While ensuring regulatory compliance with the NDB Scheme is essential, the ultimate goal for any business should be to prevent data breaches from occurring in the first place. 

Key cyber security measures for all businesses:

  • Employee Training: Human error is a leading cause of data breaches. Regular training sessions can keep staff aware of potential cyber security threats and the best practices for preventing them.

  • Regular Security Audits: Conducting periodic security audits can help identify vulnerabilities in a business’s IT infrastructure before they can be exploited.

  • Strong Access Controls: Ensuring that sensitive data is only accessible to those who genuinely need it can significantly reduce the risk of breaches. Techniques like multi-factor authentication add an extra layer of security.

  • Security Updates and Patches: Keeping software and systems up-to-date with the latest security patches is a simple yet effective way to protect against known vulnerabilities.

  • Develop an Incident Response Plan: Having a clear, documented plan in place for responding to cyber security incidents can help minimise damage and ensure a swift recovery.

  • Cyber Security Service Providers: For many SMBs, partnering with a Managed Service Provider (MSP) that specialises in cyber security can provide access to expertise and resources that might otherwise be out of reach.

Maintain Compliance and Strengthen Your Cyber Security Posture with Expert Support

By proactively implementing measures to safeguard against data breaches, you can reduce the risk of falling foul of data breaches, cyber-attacks, and the consequences of nondisclosure to strengthen your business’s reputation as a secure and trustworthy entity.

The cyber security experts at Platform 24 provide tailored solutions, support, and risk management to keep your business fully compliant and up-to-date with industry standards. Reach out to us today, and let’s talk about your regulatory requirements.

1300 602 480