Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The government’s approach is one of self-regulation, rather than prescription. A voluntary set of guidelines co-designed with the private sector is considered the best means to assist the private sector improve their cybersecurity resilience.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

There are none; although, it is considered good practice to retain such information.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Australia’s mandatory data breach notification regime began on 22 February 2018. This regime applies to all businesses and government agencies subject to the Privacy Act. Under this regime, which was enacted under the Privacy Act and administered by the Information Commissioner, if a relevant business or government agency suspects there has been a data breach, it has 30 days to determine whether there are sufficient grounds to believe that there has been a breach that is likely to result in serious harm to any of the affected individuals. An eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Serious harm has not been defined under the Act but is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. If an eligible data breach has occurred, it must then notify the Information Commissioner and affected individuals as soon as practicable.

Timeframes

What is the timeline for reporting to the authorities?

From 22 February 2018, if an eligible data breach has occurred or the entity suspects a breach has occurred, it must then notify the Information Commissioner and affected individuals as soon as practicable (and it has 30 days to determine if an eligible data breach has occurred).

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

The only mandatory reporting obligations relate to ‘eligible data breaches’ under the Privacy Act. These require affected organisations to notify the Information Commissioner and affected individuals.

The steps necessary to notify individuals of mandatory data breaches will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the entity and the affected individual. At a minimum, this should set out the organisation’s contact details, a description of the breach and recommended steps for the affected individual to take. For example, this could include a recommendation to more closely monitor bank account activity or to cancel credit cards if financial information was the subject of the breach.