Australia is expected to have a mandatory breach notification scheme in place within 12 months after the senate passed new laws requiring businesses to alert regulators and customers if they have experienced a data breach.
An amendment to the Privacy Act, the new bill now only requires Royal Assent from the Governor General – which is a formality – before it can pass into law.
Despite a spate of high-profile data breaches across the globe in recent years, Australia has lagged behind many developed nations which have already introduced mandatory notification schemes.
As a result, many Australian organisations do not yet have robust data breach response plans in place. To help you understand how the new legislation will apply to your business, we’ve summarised some of the key points below.
Do mandatory data breach notification laws only apply to big businesses?
Once introduced, the mandatory breach notification scheme will apply to all organisations that are governed by the Privacy Act.
This includes government agencies, and businesses and not-for-profits with an annual turnover of more than $3 million.
However, the Privacy Act also applies to some businesses with a turnover of less than $3 million, so the new notifications will also apply to them. Some examples of this include private sector health care providers, private schools and any individuals who handle personal information for a living.
What happens if my business suffers a data breach after the new laws are introduced?
Once the scheme comes into action, organisations will be required to report eligible data breaches to the Privacy Commissioner as well as notifying any customers that may have been affected, ‘as soon as is practicable’.
An ‘eligible breach’ is classified as one where unauthorised access to – or disclosure of – information could result in individuals affected by the breach to be at ‘risk of serious harm’. Should this occur, notifications to the Privacy Commissioner and to customers must include a description of the breach and details on the type of information breached. ‘Reasonable steps’ must be taken to inform impacted individuals of the breach, and how they need to respond to the incident.
In circumstances where it’s not certain that a breach has occurred, the new laws will allow up to 30 days to ascertain whether a notification is required.
What are the consequences of not adhering to the new regulations?
Repeat or serial offenders can be hit with fines of up to $1.8 million for organisations and $360,000 for individuals. Initially, penalties are more likely to public apologies and compensation payments to affected parties.
There is also a heightened risk of reputational damage for companies found to have experienced a serious data breach.
These exposures are in addition to the cyber risks businesses already face including potential liabilities to clients and employees who have had their data compromised, or loss of income while systems are down or being investigated and repaired.
How can my business prepare?
Now is the time to review your business’s data security to minimise the risk of a breach and to establish a data breach response plan.
Arthur J. Gallagher Insurance Brokers’ cyber risk expert, Travis Gauci, says that the latter is essential – even for organisations who may not be subject to the new legislation.
“Legislation is a good base for understanding your obligations, but it does not alleviate the risk of a business experiencing a data breach, nor the exposure for customers of that business whose personal information may be at stake," he says.
“Although there’s a perception that only ‘big businesses’ will be impacted by the mandatory data breach notification scheme, a lot of smaller businesses will also be caught up in it. That’s why a breach response plan, which is clearly articulated across the business and to all contractors, is essential.
“Even businesses that the legislation will not apply to should develop a breach response plan. This is business best practice and could go a long way to minimising the risk of reputational damage should a breach occur.”
Gauci recommends all businesses look to mitigate their data breach exposures by following a rigorous 5-step process:
- Understand the specifics of the data you hold. Whose information is it? Is it personal? What is it used for?
- Develop a breach response plan, with clearly designated leaders
- Training and education for all staff on data security policies and their responsibilities
- Adopt best practice information security procedures, including firewalls, regular patching, application whitelisting, virus protection, restricted admin privileges, encryption and offsite data back-up
- Taking out adequate insurance, including specific cyber cover