Data Breach Notification Legislation (DBNL) has been passed in Australia and will take effect on 22 February 2018. This means it’s definitely a case of business owners beware as your responsibilities under the Privacy Act will change.
Who will the new legislation affect?
The DBNL will apply to all businesses and organisations who have an annual revenue of $3 million or more or that are already required by the Privacy Act to protect the security of the information they collect and store. The scheme will also apply to the Australian Government and charitable organisations.
What is a notifiable data breach?
A notifiable data breach occurs when there is unauthorised access or disclosure of personal information that a business or organisation holds, or the information is lost. In addition, the access, disclosure or loss of the information is likely to result in serious harm to one or more people, and the business or organisation has not been able to prevent the risk of harm by their actions.
The loss or theft of a device containing customers’ personal information, the hacking of a database containing personal information,
and personal information accidentally being given to the wrong person are all examples of notifiable data breaches.
How do you identify a data breach?
First you must consider the type of access or loss that has occurred. Has the information been accessed by someone who is not authorised to have access (unauthorised access)? Has the information been made available to people who should not have access (unauthorised disclosure)? Or has the information been left behind – either as a hard copy document or on an unsecured computer or storage device – for others to access?
It is important to note, if information has been left behind but it is impossible for others to gain access – for example, remote deletion is possible or password protection is in place – then no eligible data breach has occurred.
Next you must identify whether serious harm to a person or group of people is likely to result from the information access or loss. Serious harm may include physical, psychological, emotional, financial or reputational harm.
Lastly you must consider whether any positive steps you take to limit the harm will have any impact. For example, if a file has been sent to an unintended recipient and you can confirm the recipient has deleted the file then you may have effectively managed the risk. However, if deletion cannot be assured then the risk of harm remains.
How should a data breach be handled?
There is no one way to handle a data breach as every breach is different. However, keep in mind that the first step is to contain the breach. Next, evaluate the risks associated with the breach. Then enter the notification phase. Lastly and importantly, take steps to prevent future data breaches.
Remember, every data breach should be taken seriously and acted upon immediately. What may seem inconsequential can quickly escalate.
If you need any assistance with your cyber security or you don’t know where to start please call us on 1300 478 738 or email us at info@suretyit.com.au.
