Most of us don’t know what actually happens to our data once it is given to a business, like credit card details, addresses and tax information. Before today, if a business had some of their data stolen or leaked, you wouldn’t know about it.
However, the good news for you as a consumer has just arrived! With the new Data Breach Notification Laws, businesses must report incidents of stolen or leaked data to the Privacy Commissioner and to customers, which gives you the chance and time to change passwords or take extra security measures.
What is Data Breach?
As the name says, it’s when there’s an unauthorised access or leak of personal information that is held by a business. The first thing that comes to mind is that this type of information can only be accessed if stolen by hackers or viruses, however, a data breach is also considered when a business loses confidential data, or accidentally provides it to wrong people or entities.
The Office of the Australian Information Commissioner (OAIC), has a guide on the topic and explains data breaches as:
- Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
- Unauthorised access to personal information by an employee
- Inadvertent disclosure of personal information due to ‘human error’, for example, an email sent to the wrong person
- Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
Does it apply to all businesses and data breaches?
The Notifiable Data Breach – NDB requires entities to report on data breaches that could cause serious harm to people. On that note, it’s important to highlight that the NDB scheme explains that not all breaches must be reported. What they call “eligible breaches” are the ones that require attention.
This has been causing some confusion on what’s considered an “eligible breach”. The Privacy Act doesn’t define the term, however, it explains “serious harm” in the context of serious physical, psychological, emotional, financial, or reputational harm that the breach may cause to an individual.
Also, not all businesses are covered by the NDB scheme. According to the OAIC guide, here are the entities that must comply:
- Entities that have existing obligations under the Privacy Act to secure personal information must comply with the NDB scheme.
- This includes Australian Government agencies, businesses and not-for-profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
- Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect other types of information outside the scope of their obligations under the Privacy Act.
(source: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth))
Complying with the new laws
This is not just an IT department effort and shouldn’t be seen an isolated case in the business, but rather, as something that teams must collaborate with on an effort to maintain and safeguard the business possible exposure and reputation.
If a business believes that their data has been compromised but it doesn’t report to authorities and members of the public, the consequences are severe and large fines will be applied. A basic rule of thumb is: If a business suspects that it had some data breached, the business should evaluate the situation and assess the verdict. If a business knows or has enough evidence that a data breach has occurred, it must notify the public and the Commissioner immediately.
What are the next steps for your business?
There are some steps your business can take immediately, such as:
- Find out if the NDB scheme applies to your organisation
- Review and assess your privacy and security policies ensuring they are up to date
- Notify employees of this new change in law and ensure everyone is vigilant for any suspicious activity
- Perform a risk and impact assessment on possible exposure
As a secondary step, which will take more effort but must be done:
- Audit your system and security measures in place to ensure they comply with minimum standards and can safeguard your business from basic and simple attempts of breaches
- Decide on a “security group” to investigate possible breaches and be security ambassadors
- Have a data breach assessment template to follow
- Communicate to employees on how and when to notify a suspected breach
- Have a plan in hand in case there’s a need to report a breach
This is just a summary of the new law and what it means for you as an individual and for your business. For detailed information on the topic, please read the Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) by the Office of the Australian Information Commissioner.
If you need assistance with your privacy and security policy, would like to audit your business security systems or need support to develop a security strategy, our consultants can help! Contact us on 1300 991 351 or email email@example.com