What is NDB?
The Notifiable Data Breach Scheme came into effect on 22nd February 2018. It establishes a mandatory data breach notification scheme that requires organisations to notify individuals likely to be at risk of serious harm due to a data breach. NDB scheme applies to any private organisation who has a yearly turnover of over $3M.
Lack of Compliance means serious consequences
- Formal Investigation by OAIC
- Civil penalties - fines of up to $360,000 for individuals and $1.8 million for organizations
- Reputational loss
What is considered a breach under NDB Scheme?
According to OAIC an eligible data breach arises from the following three types of breaches
- Loss of information: loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
- Unauthorized access: an employee browses sensitive records without any legitimate purpose
- Unauthorized disclosure: inadvertent disclosure of personal information due to ‘human error’ for example an email sent to the wrong person
e-Safe protects data and prevents breaches due to human error and malicious activity
NDB only applies to data breaches involving personal information that are likely to result in “serious harm” to any individual affected. These are referred to as “eligible data breaches”. An eligible data breach usually involves one or more kinds of personal information. For example the loss of customer names from a telco provider might not be considered as something that can cause serious harm unless it is attached with additional information such as their contact information.
As such, classification of sensitive data and clear visibility of what is lost is a key requirement when trying to identify the breach and take the necessary remedial actions.
e-Safe Compliance satisfies this requirement and also provides the necessary data protection that can prevent breaches from happening in the first place.
e-Safe covers all 3 breach types as defined by OAIC in 3 simple steps
Step 1. Discovers and classifies sensitive data. Sensitive data is discovered and classified from various sources including ERP/CRM systems, databases and network drives.
Step 2. Sensitive data is protected from breach or loss using encryption. This ensures data remains:
1. protected from unauthorised disclosure.
2. protected in the event of a loss.
3. secured from unauthorised access by both internal and external users.
4. protected when shared with authorised 3rd parties
Step 3. Provides data breach monitoring and alerting. Monitors the access and movement of sensitive data on all corporate and non-corporate channels and alerts if it is breached.