Zero Trust Security for the New Australian Data Breach Law

Many Australian businesses need to rethink their approach to security to prepare for their nation’s new mandatory data breach notification law which take effect this month. The Privacy Amendment (Notifiable Data Breaches) Act 2017 enacts the Notifiable Data Breaches (NDB) scheme in Australia from February 22 this year. The NDB scheme mandates that organizations suffering lost or breached data must notify affected customers as soon as they become aware of the breach and must also report the incident to the Privacy Commissioner.

The legislation covers information such as personal details, credit reports, credit eligibility details, and tax file number (TFN) records held by organizations including Australian Government agencies, businesses and not-for-profit organizations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others. Penalties range from fines of AU$360,000 for individuals to AU$1.8 million for organizations.

Unfortunately, many Australian businesses remain security “sitting ducks” because their defenses are out of date. Today, businesses use a combination of cloud, on-premises and mobile services, which means traditional perimeter-based security is no longer effective. This is evident from research such as Verizon’s 2017 Data Breach Investigations Report (DBIR) which revealed that compromised credentials were responsible for 81 percent of all data breaches.

Centrify-sponsored research in Australia, conducted last year by Ponemon Institute, revealed that publicized data breaches damaged both corporate value and customer trust. This study shows that many companies underestimate the true impact of a data breach. Ponemon found the stock value index of 113 randomly selected global companies declined by an average of five percent on the day a data breach was disclosed and experienced a customer churn rate of as much as seven per cent. Also, one third of Australian consumers impacted by a data breach reported they had discontinued their relationship with the organization that experienced the breach. This is a vital lesson for organizations to learn as Australian law mandates data breach disclosures.

Companies need to re-evaluate their entire security posture from the ground up, by focusing on protecting identities rather than the network perimeter. The solution is available and Centrify believes that companies need to adopt a Zero Trust Security model which verifies every user, validates their device and limits the amount of access and privilege to resources while continually learning & adapting.

Learn more about Zero Trust Security