The NDB Scheme: Australia's new cybersecurity rules

Posted by Emmanuel Marshall on Mar 7, 2018 4:34:23 PM

In today’s global online marketplace, businesses can find customers, manage workforces and accept payments more easily than ever before and that’s great news, as long as everything works smoothly. 

Email, e-commerce and cloud storage platforms have become the foundation of day-to-day business activity, but they also create opportunities for infiltration and fraud by criminals. One of the most serious problems that companies face trading online, is the risk of valuable, sensitive information falling into the wrong hands.


What is the NDB Scheme?

When people transact with businesses online, they share a lot of information; identification data; credit card details; and personal documentation. All this data is a tempting prize for cybercriminals who want to exploit it to commit online fraud.

On Feb 22 the Australian Government’s Notifiable Data Breach (NDB) Scheme came into effect. Under the NDB Scheme companies that handle people’s personal data like bank account information, credit card details, medical records etc, are obliged to report data breaches to the Office of the Australian Information Commissioner (OAIC). They must also directly inform people whose information is exposed so they have the best possible opportunity to protect themselves from adverse effects.

For the purposes of the NDB Scheme, the OAIC defines a data-breach this way:

“Unauthorised access (of data) by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party... For example; a computer network is compromised by an external attacker resulting in personal information being accessed without authority...”


What sort of data does the NDB cover?

The broad terms of the NDB Scheme could be applied to almost any sort of data from address lists in mobile phones to company HR records and customer credit card details stored on servers. But the criteria for mandatory notification under the scheme also says that ‘serious harm’ must be likely to occur as a result of the breach for it to come under the NDB rules.

There’s some room for speculation about what qualifies as ‘serious harm,’ but the advice from the OAIC stipulates that it can include psychological and reputational damage as well as financial loss.

Although the NDB regulations include a lot of different data breach types, the OAIC specifies four categories that are ‘more likely to cause an individual serious harm if compromised.’ These high priority data categories are:

  • sensitive information, such as information about an individual’s health
  • Medicare card; drivers licence; and passport details
  • financial records
  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about

The last item on the list above is particularly important because multiple data points on a single person can make identity theft and similar fraud attacks easier for cybercriminals.


NDB Scheme objectives

Legislators around the world are grappling with this question; how to steer the digital economy toward a more secure future?

The objective of the NDB Scheme is to incentivise better cybersecurity practices in Australian companies and organisations. Rigorous cybersecurity is of the utmost importance in an increasingly connected, digital economy, and this new legislation is intended to mandate security accountability standards across industries and government bodies.
Compliance with the NDB will give organisations clear parameters to measure their cybersecurity success nurturing trust with consumers and business partners through greater security transparency and standardisation.


Focus on big business

The NDB Scheme is designed to focus on medium to large businesses with annual revenues of more than AUD$3 million.

Any large company that is storing the personal or financial data of individuals should be taking steps to comply with the NDB Scheme.

Small business operators are more or less excused from NDB compliance but there is a quite extensive list of exceptions to this general rule. Small business owners who are unsure about their responsibilities can check the compliance rules on the OAIC website:

NDB: take action

Basic NDB compliance can be summarised in 3 steps:

  • Data audit
  • Risk assessment
  • Cybersecurity implementation

Data audit

The first step toward NDB Scheme compliance is knowing what data a company is collecting and how it is stored. A comprehensive data audit is fundamental to compliance because a company needs to establish what information they handle that could come under the purview of the NDB. The NDB Scheme is very inclusive in its scope, so a data audit should look at all platforms, device types and departments.

A comprehensive data audit should look at all types of assets stored in all formats, across every kind of platform including:

  • databases
  • CRM platforms
  • POS purchase information
  • online shopping records
  • marketing lists
  • social media contacts
  • Excel spreadsheet records
  • company data held by contractors and other third parties

Risk assessment

Once a data audit has established a clear picture of how a company’s data management works, the next step is to make a risk assessment:

  • Who is responsible for the company’s cybersecurity management?
  • What cyber-threats could the company face?
  • Where are the security weak-points in the technology infrastructure?
  • Does the company have effective cybersecurity measures in place?
  • What security software is deployed?
  • Does the company have education programs in place to minimise human security vulnerabilities?
  • What events or signs would indicate that data storage was compromised?
  • What is the company’s responsibility to third parties whose data they handle?

Cybersecurity implementation

The AOIC stipulates procedures for assessment and reporting of notifiable breaches but it’s important to consider the overarching question the NDB Scheme raises:
are companies taking proactive steps to prevent data breaches?

High priority data-security action:

  • Use strong passwords and 2-factor authentication
  • Provide cybersecurity education to your staff
  • Get professional advice on how to strengthen your company’s security
  • Make sure you have solid data backup and recovery procedures in place
  • Implement local and cloud-based cybersecurity protection

Initiating greater accountability and transparency in data management is only half of the formula for NDB preparation. If a company suffers a serious data breach, their compliance responsibilities to the OAIC will only be one of their problems.

Businesses are losing millions of dollars to cyber-attacks that could have been prevented. Cybersecurity is seen as an IT issue; a lot of CEOs imagine that their IT department will take care of it but it just isn’t that simple anymore. Good cybersecurity policy requires the involvement of all levels of management and a commitment to educating every member of a team.

Next steps:

To learn more about the NDB, read these articles:

As a leader in cybersecurity and data protection, MailGuard applauds the introduction of the NDB Scheme as a contribution to higher cybersecurity standards.

If you would like to get your company ahead of the curve on NDB compliance, call MailGuard for an obligation-free consultation with one of our cybersecurity experts: 1300 30 44 30


Topics: Cybersecurity NDB risk management cybersecurity advice partners

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all