There's less than a year to go before the new mandatory data breach reporting law comes into effect. Have you reviewed your company's cyber insurance and data breach response plan?
A string of high-profile data breaches last year targeted several Australian businesses ranging from popular websites and media companies, to universities and government services. In 2016, more data breaches were reported in Australia than anywhere else in the APAC region, and London-based insurer Lloyd's suggested that cybercrime will cost the Australian economy upwards of $16 billion over the coming decade.
So when the Federal Government passed the Privacy Amendement (Notifiable Data Breaches) Bill 2016 earlier this year, the technology industry was understandably estatic. Speaking to the Financial Review, Anthony Wong, president of The Australian Computer Society, described the new law as a "critical step forward in the elevation of data protection and cyber security issues" at the enterprise level.
But some members of the business community were less enthused, citing concerns about the implications and 'unintended consequences' of the new scheme, several industry groups and notable Australian companies challenged the need for the scheme and criticised draft versions of the bill, which eventually passed in the Senate with bipartisan support.
New data breach notification laws are coming, and you need to be prepared
The data breach notification scheme is happening, whether you like it or not. It applies to all organisations that have responsibilities under the Privacy Act, including (in some cases) businesses with an annual turnover of $3 million or less and individuals who handle personal information for a living.
This means that starting next year, your company will be required by law to notify the Office of the Australian Information Commissioner (OAIC) if you have reasonable grounds to believe than an 'eglibile data breach' has occurred.
You can read more about the new notification requirements and what it means for your business here.
But notifying the OAIC of a potential breach isn't your only obligation. Under the new notification scheme, your company must:
- Notify affected individuals if you have reasonable grounds to suspect that an eligible data breach has occurred
- Assess the cause, extent and nature of the breach within 30 days of becoming aware of it
- Prepare and publish a statement that contains a description of the breach, outlines the kind of information that has been compromised and includes your organisation's contact details.
That's a lot of work to do, especially if you don't have a plan or strategy in place. Fines for noncompliance can be as high as $1.8 million for organisations, and that's excluding the cost of reputational damage and lost business.
Compliance means having cyber insurance and a comprehensive data breach response plan
Creating a data breach response plan ahead of February 2018 will help your organisation:
- Prepare for the incoming data breach notification scheme
- Mitigate and manage compliance risks
- Prove that you have effective privacy practices if you're ever the subject of an investgation by the Privacy Commissioner
A data breach response plan will also give your clients peace of mind, in addition to improving your organisation's ability to remediate a breach in an efficient and timely manner. At the very least your plan should outline roles and responsibilies for key staff in the event of a breach, include a draft notification and summarise the process for investigating a breach. If you're not sure where to start, download our free data breach response plan template.
It's important to realise that the incoming data breach notification scheme will impact everything from your data handling and IT procedures to your marketing activities, contracts with suppliers, and relationships with third parties who may hold personal information. Before the scheme commences, take the time to review your organisation's privacy controls, your cyber insurance and your data breach response plan. It will help you put a robust system in place to protect personal information and mitigate the risk of noncompliance.