Notifiable Data Breaches: What the NDB scheme is all about
The Notifiable Data Breaches scheme (NDB) comes into effect on the 22nd of February, and the scheme will outline requirements for how you handle potential data breaches. It’s of the utmost importance that you handle a breach in the right way, as we’ve discussed before, and part of that is being transparent with your customers. The NDB scheme requires that businesses notify individuals whose personal information has been accessed, and will need to be factored into your incident response plan. Here’s what you need to know about the NDB scheme moving forwards.
What is the NDB?
Businesses are required to notify individuals whose personal information has been accessed.
This scheme has been introduced to protect the consumer, wherein the business must notify them if their details are accessed from a cyberattack. In addition to the notification, it’s also the responsibility of the business to provide guidance to the customer about how they should respond. There is a threshold in place, however. You won’t need to alert every customer to every mishap, only those likely to be affected, and only when the threat presents serious harm to the individual.
Which breaches need notification?
So what sort of breach constitutes “serious harm”? The Office of the Australian Information Commissioner (OAIC) describes this as any loss of, or unauthorised access to, the personal information of your customers. Whether this is a credit history report, credit numbers, or other personal information; where risk is present, the customer needs to know. If the business being hacked is able to eliminate the risk through remedial action, then the breach would not be regarded as eligible for notification.
Who needs to comply?
You’re probably wondering, will this affect your business? All agencies and organisations obligated by the privacy act to keep personal information secure will also be subject to the NDB scheme. This includes government agencies, businesses and not-for-profits with an annual turnover exceeding three million dollars any time after 2001. Health service providers, employee associations and entities that trade in personal information (such as credit reporting agencies) will not be exempt.
How to notify customers
There are several ways you can notify customers. The first is to notify your entire customer base, the second is to notify only the individuals whose information was accessed, and the third is to announce it publicly via the company website. They are prioritised in the above order and a business should only move to the third option if the first two aren’t practicable. Customers can be notified by the companies preferred channel, phone, SMS, social media, email, or face to face, and according to the OAIC, a notification must include the following:
- The identity and contact details of the organisation who has been hacked
- A description of the data breach
- Which information about you has been accessed
- Recommendations for what the customer should do next
How LOOKUP.com can help you
If this sounds like navigating a minefield, don’t worry, help is available. LOOKUP.com’s managed security services don’t just offer comprehensive protection and monitoring of your network, we can also help you put an incident response plan together to help you recover as smoothly as possible in the event a breach takes place. For more information, get in contact with us today.