The government has finally revealed a draft of the statement it expects organisations to file if they suffer a data breach after February 22 of next year.
Under data breach notification laws passed in mid-February of this year, organisations that suffer a data breach will need to notify the Australian Information Commissioner and affected customers "as soon as practicable".
They must also assess its severity and the potential harm to those impacted, and may need to file a formal report.
The contents of that report have been known about at a high level for some time, namely that it requires some details of the organisation, along with “a description of the breach, the kinds of information involved, and recommended actions those affected should take to protect themselves”.
However, a full draft of the notification format has now been publicly exposed for comment.
It reveals the granularity of information being sought by authorities and provides an indication of the types of statistics that are to be collected through the notification process.
It offers a checkbox for the type of data breached, covering categories such as financial details, government identifiers, tax file number, health information or “other sensitive information” such as political or religious views.
The form also asks the impacted organisation to identify any gap in the breach’s occurrence and its discovery; whether the cause was malicious, or a technical or human error; and offers a selection of radio buttons to specify the number of people impacted.
The Office of the Australian Information Commissioner (OAIC) said in a separate exposure draft document that it planned to publish some form of aggregated information on breach notifications it received.
“The OAIC will publish statistics in connection with the [notifiable data breach] scheme, with a view to reviewing this approach 12 months after the scheme’s commencement,” it said.
“[We] will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.”
Data breach notification is set to begin on February 22 next year. That date was not designated when the scheme was passed into law.
The OAIC said that data breaches discovered until then aren’t subject to the laws.
In addition, if a breach is uncovered “after 22 February 2018, but the breach occurred prior to that date, the breach is not an eligible data breach for the purposes of the scheme”.
However, the OAIC noted that “certain data breaches occur over a period rather than at a discrete point in time” and these types of persistent threats are likely to be treated differently.
“For example, a system may be compromised by an attacker before 22 February 2018, with data subsequently stolen both before and after 22 February 2018,” the OAIC said.
Comment on the exposure drafts is being accepted up until October 23 this year.