With Australia several months past the regulatory change that saw mandatory breach notification become a reality in the country, what do the changes mean for your business?
The amendment to the Privacy Act, which came into force in February 2018, has already seen businesses notify both regulators and consumers of data breaches.
The first data breach in Australia reported under the new legislation saw shipping firm Svitzer suffer a leak which saw up to 60,000 emails from three accounts in finance, payroll and operations secretly forwarded to two external email accounts for close to a year.
To help you understand how the new legislation applies to your business, we’ve summarised some of the key points below.
Do mandatory data breach notification laws only apply to big businesses?
The mandatory breach notification scheme applies to all organisations that are governed by the Privacy Act.
This includes government agencies, and businesses and not-for-profits with an annual turnover of more than $3 million.
However, the Privacy Act also applies to some businesses with a turnover of less than $3 million, so the notifications will also apply to them. Some examples of this include private sector health care providers, private schools and any individuals who handle personal information for a living.
What happens if my business suffers a data breach under the new legislation?
Under the amendment, organisations are required to report eligible data breaches to the Privacy Commissioner as well as notifying any customers that may have been affected, ‘as soon as is practicable’.
An ‘eligible breach’ is classified as one where unauthorised access to – or disclosure of – information could result in individuals affected by the breach to be at ‘risk of serious harm’. Should this occur, notifications to the Privacy Commissioner and to customers must include a description of the breach and details on the type of information that has been breached. ‘Reasonable steps’ must be taken to inform impacted individuals of the breach, and how they need to respond to the incident.
In circumstances where it’s not certain that a breach has occurred, the new laws allow up to 30 days to ascertain whether a notification is required.
What are the consequences of not adhering to the new regulations?
Those that fail to correctly notify can be hit with fines of up to $1.8 million for organisations and $360,000 for individuals.
There is also a heightened risk of reputational damage for companies found to have experienced a serious data breach.
These exposures are in addition to the cyber risks businesses already face including potential liabilities to clients and employees who have had their data compromised, or loss of income while systems are down or being investigated and repaired.
What to do next?
If you haven’t already, now is the time to review your business’s data security to minimise the risk of a breach and to establish a data breach response plan.
Gallagher Insurance Brokers’ cyber risk expert, Travis Gauci, says that the latter is essential – even for organisations who may not be subject to the updated legislation.
“Legislation is a good base for understanding your obligations, but it does not alleviate the risk of a business experiencing a data breach, nor the exposure for customers of that business whose personal information may be at stake," he says.
“Although there’s a perception that only ‘big businesses’ are impacted by the mandatory data breach notification scheme, a lot of smaller businesses will also be caught up in it. That’s why a breach response plan, which is clearly articulated across the business and to all contractors, is essential.
“Even businesses that the legislation does not apply to should develop a breach response plan. This is business best practice and could go a long way to minimising the risk of reputational damage should a breach occur.”
You can download your free guide to developing a data breach response plan here.
Gauci recommends all businesses look to mitigate their data breach exposures by following a rigorous 5-step process
- Understand the specifics of the data you hold. Whose information is it? Is it personal? What is it used for?
- Develop a breach response plan, with clearly designated leaders
- Training and education for all staff on data security policies and their responsibilities
- Adopt best practice information security procedures, including firewalls, regular patching, application whitelisting, virus protection, restricted admin privileges, encryption and offsite data back-up
- Taking out adequate insurance, including specific cyber cover