Governments are getting serious on Cyber Security. You should, too

Cyber Security: A challenge all organisations should take seriously

The Mandatory Notifiable Data Breach (MNDB) scheme which passed into law in 2022 will take effect in NSW from November 28, 2023.

This amends the Privacy and Personal Information Protection Act 1998 (PPIP Act) and extends responsibilities to notifying the NSW Privacy Commissioner and affected individuals following an ‘eligible data breach’.

Whilst the legislation largely affects NSW public sector agencies, it is relevant to:

  • any private sector business contracting to government/public sector agencies (e.g.,an IT firm hosting, collecting, processing agency data)
  • most businesses, as the legislation guidelines can help enhance cyber security.  

NSW is the first state to adopt such legislation, and the Queensland Government is currently reviewing similar reform.

Changes take effect in less than 4 months. Here’s what to consider. There are key areas agencies and corporations should review (or apply resources to) before November 28:

Data governance and data risk management.

I can’t overstate how important it is for agencies and contractors to:

  • clearly understand your data landscape, and what data you are holding
  • have robust data governance measures relating to the collection, storage and purging of Personally Identifiable Information (PII) and other sensitive data.

Also consider:

  • why the data is being collected
  • what this data is used for, and if it’s still required
  • the legal obligations and value in retaining data versus the risk and cost of doing so
  • how to keep data secure on an ongoing basis, given cyber threats will only increase

I recently heard an interesting analogy which compared data to calories –

  • It is necessary but make sure you don’t collect it to excess
  • Ensure that you are consuming/collecting the right sort (only that which you need or are legally required to hold)
  • Keep asking yourself, do you need it, and can you get rid of some? Do you have a purging policy for safely disposing of data and, if not, can this be introduced?


Have an appropriate Incident Response Plan (IRP)

An IRP must be more than a box-ticking exercise in your risk management framework.

It should be carefully configured and fit-for-purpose; periodically tested and updated; with clearly identified roles and responsibilities (including contingency plans).

Make Cyber Security everyone’s business

A cyber event can profoundly impact many people’s lives. Just as data can deliver value for an organisation, there should be a culture of shared responsibility for protecting it. The mindset around cyber security should be that of a ‘Team Sport’, where risk ownership rests with a wide group across the business, including the C-Suite and Board.

Find out more

You can access informationon the Scheme here

Need more information? Get in touch and I’ll be happy to assist.


View All