If your turnover is more than $3 million per year and you are governed by the Privacy Act or if you are a smaller business handling sensitive information then the new incoming Data Breach Notification Legislation will impact your business. The bill now only needs royal assent, which is a formality and then it becomes law.
What is the new law?
The law means that businesses that have discovered they have been breached or have lost data will need to report the incident to the Privacy Commissioner as well as notifying affected customers as soon as they become aware of the breach.
The notification must include a description of the data breach, what kind of information it was and how customers should respond to the security incident.
What’s the impact of not reporting a breach?
Anyone not reporting a breach face fines of $360,000 for individuals and $1.8 million for businesses so it’s something everyone needs to take seriously.
What is classed as a data breach in the new law?
The law considers a breach to have occurred when data is accessed by an unauthorised entity, disclosure or loss of customer’s information held by a business and that generates a real risk of serious harm to individuals involved.
Data breaches are not limited to malicious actions, such as theft or hacking but could come from internal errors or process failures that cause accidental loss or disclosure.
What type of data and where comes under Data Breach Notification Legislation?
Anything from personal details, financial information, credit reporting information, tax file number information etc. held on any device including mobiles, usb keys, hard drives, company network or paper records. The legislation has a very broad scope.
Here’s a few examples of where the legislation will apply –
- A mobile device containing company information is lost and there’s no way of managing it remotely or ensuring that is hasn’t
- There is unauthorised access to a spreadsheet containing customer financial information.
- A member of staff mistakenly emails the information of one individual to another individual.
- A member of staff takes personal information of customers.
- A contractor working on a database containing customer information takes a copy on their laptop and has their laptop stolen.
- An IT staff member finds malicious software on a computer and discovers that confidential information has been held on that computer.
What harm could result from a breach?
- Identity theft
- Financial loss
- Threat to physical safety
- Threat to emotional wellbeing
- Loss of business
- Damage to reputation
- Loss of public trust
- Reputational damage
- Loss of assets
- Financial exposure
- Regulatory penalties
- Legal liability
What you need to do now
Before the legislation is introduced it is critically important that businesses already have a strategy in place so that there is no
last-minute panic and costs explode as well as strategies that have been rushed and poorly implemented.
We would recommend looking at the following components as a starting point –
- Review your current data security strategy
- Develop a cyber security strategy that just doesn’t involve IT
- Educate your staff
- Develop a data breach strategy
If you need any assistance with your cyber strategy or you don’t know where to start please call us on 1300 478 738 or email us at email@example.com.