Recent technological developments have allowed volumes of information to be easily collected, stored and retrieved within seconds which in turn make online privacy more crucial to organisations. Cybersecurity takes centre stage as data breaches have wide-reaching implications.
In Australia, identity crime has become one of the most common consequences of data breach, resulting to damages amounting to a staggering $2.2 billion yearly. Reputational and financial damages caused by such crimes have not only affected individuals but organisations as well. To address this growing concern, the Australian Government has taken steps to improve the protection of people’s personal information by amending the Privacy Act of 1998 and introducing a new law that requires mandatory reporting of any data breaches. This is called the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Notifiable Data Breaches (NOB)
The new legislation requires agencies and organisations to provide notice to the individuals affected by the breach and report to the Australian Information Commissioner if this resulted to an eligible data breach. Eligible data breach means that the information lost or retrieved is likely to result in serious harm.
Up until now, there are data breaches that remain unreported despite its severity and organisations still attempt to hide and even cover up serious breaches in order to protect their credibility. The new legislation aims to strengthen privacy protection by improving transparency with regards to data security issues.
Who are affected?
The NOB scheme will apply to organisations already responsible for keeping data and information secure under the Privacy Act. This includes:
• Businesses and not-for-profits with an annual turnover of at least $3 million, but may also apply to some businesses with less than $3 turnover
• Australian Government agencies
• Private sector health service providers
• Educational institutions
• Businesses that sell or purchase personal information
Non-compliance have corresponding penalties that may reach up to $1.8 million for serious or repeated violations.
What types of data are affected?
The Privacy Act requires that all personal and sensitive information must be protected and kept secure.
Organisations in Australia gather a wide range of information on individuals that are considered personal and sensitive such as names, addresses, genders, tax file numbers, credit card details, financial information, identification cards, driver’s licenses, names of family members, medical history, and travel history among others.
A data breach has occurred if any of this kind of data is accessed or disclosed without authorisation or is lost in any manner. This may be due to a cyber-attack or inadvertent disclosure. However, it is only considered as an NOB if the loss or breach is likely to cause serious harm to those affected.
What to do when an NOB occurs
Once a NOB is discovered, the organisation must then notify the OAIC and all parties affected as soon as possible. The notification must include the following:
• Identity of the organisation
• Contact details
• Description of the data breach
• Detailed report of the types of information involved
• An offer of assistance to the individuals affected by the breach
• Information or list of other parties notified such as the OIAC or the police.
If the breach involves a huge number of people, the organisation can just publish a statement on their website about their compromised database and have it publicised.
However, reporting information breaches may not be necessary if an organisation has taken “reasonable” action to minimise the adverse outcomes of the data leak and before any serious harm occurs.
A secure IT environment is critical to protecting the information and data in your business. This protection is not just about stopping hackers getting in, but the security and integrity of the data at all times.
At Wyntec we work with our clients across to increase their IT security and reduce the risk off data loss, everything from the desktop to the network edge and data stored in the cloud. If you would like to discuss security and protraction of your businesses data please get in touch with me today – [email protected]