The Government’s new Mandatory Data Breach Notification Law came into effect on 22 February 2018. If you are a business that handles client personal details, credit information and TFNs, you will be affected.
According to cybersecurity experts, more than 5 million personal records are stolen globally every day. Data breach activity continues to escalate in Australia, with Equifax, Uber and the public service being some of the biggest breaches of 2017 and many smaller breaches going unreported.
It’s not surprising that the Government has taken legislative action to get this problem under control. With bipartisan support, the new Mandatory Data Breach Notification Law is expected to take effect from 22 February.
We summarise the changes and how businesses may be affected below.
Your obligations under the new law
If a data breach fits the eligible criteria below, within 30 days of becoming aware of the breach you must:
1. Alert the Australian Information Commissioner of the incident.
2. Notify the affected person(s) of the data breach.
If these steps are not followed, incidents can attract a maximum penalty of $360,000 for individuals and $1.8 million for organisations.
What type of data breaches must be reported?
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
An ‘eligible data breach’ triggers notification obligations. An ‘eligible data breach’ is one that is likely to result in serious harm to any of the individuals to whom the information relates. It must satisfy the following three criteria:
1. There is unauthorised access to or disclosure of personal information, or a loss of personal information, that an entity holds
2. This is likely to result in serious harm to one or more individuals
3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
Who does the new law apply to?
Your business is affected if you are:
- An organisation (both for-profit & not-for-profit) with turnover more than $3 million
- An organisation with turnover less than $3 million if you handle sensitive information like client personal details, credit information and Tax File Numbers.
Examples include:
- Health services providers like GPs and medical specialists
- Gyms
- Childcare centres
- Credit reporting bodies
- Accounting firms
- Retailers who offer store loyalty programs.
What can businesses do to prepare?
With this change, it’s advisable to review your privacy policies, practices and procedures to reduce the risk of a major breach. Note that the majority of data breaches are linked to employee negligence so many breaches can be prevented by simply educating your staff on cybersecurity best practices. These include:
- Creating strong passwords and ensuring that staff routinely change those passwords
- Understanding how to identify phishing attempts
- Setting limits on the types of information staff can share through email and on social media
- Establishing a series of steps to follow if staff feel that information has been compromised.
See our article Cybersecurity isn’t just an IT problem for more advice on quick wins to improve your information security.