As we transition to a digital economy, now more than ever the focus must be on ensuring Australia captures the opportunities of the information age, while protecting the rights of the individual.
On 13 February 2017, the Australian Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (the Bill). The Governor-General gave formal assent to the Bill on 22 February 2017, which will now see the Bill enacted into law from 22 February 2018.
The objective of the Mandatory Data Breach Notification Laws is to ensure that an ‘eligible data breach’ which is defined as ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ where ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’ is reported to the Office of the Australian Information Commissioner. This information would include personal details, credit reporting information, credit eligibility information and tax file number information.
Under the amendments, an affected organisation will be required to report the incident to the Office of the Australian Information Commissioner and to notify an affected party within 30 days as soon as the organisation becomes aware of any such data breach. The notification to the affected party must disclose the type of data breach, the particular information affected and how the affected party should respond to the data breach.
Who is affected?
Once introduced, the mandatory breach notification scheme will apply to all organisations that are governed by the Privacy Act. This includes government agencies, businesses and not-for-profits with an annual turnover of more than $3 million. However, the Privacy Act also applies to some businesses with a turnover of less than $3 million, so the new notifications will also apply to them. Some examples of this include private sector health care providers, private schools and any individuals who handle personal information for a living.
What are the consequences if you fail to report a breach?
Repeat or serial offenders can be hit with fines of up to $1.8 million for organisations and $360,000 for individuals. Initially, penalties are more likely to public apologies and compensation payments to affected parties. There is also a heightened risk of reputational damage for companies found to have experienced a serious data breach.
These exposures are in addition to the cyber risks businesses already face including potential liabilities to clients and employees who have had their data compromised, or loss of income while systems are down or being investigated and repaired.
How can Allcom help you prepare?
Appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security. Allcom have provided an example of some of the initiatives that they can deliver and recommend to help Australian businesses better understand their risk appetite and posture.
- Risk assessments – Identifying the security risks to personal information held by the organisation and the consequences of a breach of security.
- Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.
- Policy development – Developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.
- Staff training – Training staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
- The appointment of a responsible person or position – Creating a designated position within the agency or organisation to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.
- Technology – Implementing privacy enhancing technologies to secure personal information held by the agency or organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.
- Monitoring and review – Monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place.
- Standards – Measuring performance against relevant Australian and international standards as a guide. (ISO/NIST)
- Appropriate contract management – Conducting appropriate due diligence where services (especially data storage services) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits.
For more information on how to better understand and prepare your business in relation to a cyber event, call Allcom today on (02) 9921 1355 and speak with a cyber specialist.