Where is your company’s cybersecurity preparedness level? If you were to rate it on a scale from 1 to 10 -1 being the lowest level of preparedness “confidence” and 10 the highest — where do you think you stand? Companies across Australia need to take a good, hard look at their IT network and cyber security and honestly assess where their security readiness stands. If you are not dead-solid-sure that you can weather any data breach — you’ll probably want to seek out security specialists such as Steadfast Solutions to help you get prepared for the Australian government’s Data Breach Notification Laws of 2018 that are fast approaching.
Understanding the New 2018 Data Breach Notification Laws
Australians increasingly provide personal information to retailers to purchase products online, or to gain rewards — almost three-quarters of Australians are signed up to a store loyalty program.
Earlier this year, legislation was introduced to add to existing protections for personal information in the Australian Privacy Act. From 22 February 2018, retail businesses with an annual turnover of $3 million or more, or that trade in personal information, will be required to comply with the Notifiable Data Breaches (NDB) scheme.
Under the NDB scheme, these organisations must notify individuals affected by a data breach which is likely to result in serious harm. The Australian Information Commissioner must also be notified.
Failure to comply with the new Data Breach Notification Laws will fall under the Privacy Act’s existing enforcement and civil penalty framework.
‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm. Understanding whether serious harm is likely or not will generally rely on an evaluation of the context of a data breach — including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.
In the context of retail, for example, the disclosure of customers’ credit card details may be likely to result in serious financial harm. Notifying customers of this data breach provides them with the opportunity to take protective action, including canceling credit cards.
It is important to understand your obligations under the NDB scheme before commencement on 22 February 2018 — find out more, and start preparing for the scheme, with our draft NDB resources.
Hard to believe that a single breach in 2017 resulted in the sensitive information of nearly 50,000 Australians and 5,000 federal public servants being leaked.
But it did, and there are surely more major data breaches to come.
This is, unfortunately, a trend that shows no sign of slowing down. In fact, more than 5.1 million records are stolen globally every single day. That works out to 59 records a second.
So, it should come as no surprise that serious action has been taken to get this problem under control and has led to the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, which is otherwise known as the NDB scheme.
Taking a Closer Look at the 2018 Data Breach Notification Laws
According to Data Privacy Monitor, the Australian Senate passed a bill on February 13, 2017 that established a mandatory requirement to notify the Privacy Commissioner along with affected individuals of “eligible” data breaches.
This pertains to any type of data breach that has the potential to bring about serious harm to the individuals involved.
Mondaq offers further clarification on the term “serious harm” and states that it can include serious physical, psychological, emotional, economic and financial harm. They also point out that it can relate to serious harm being done to a person’s reputation.
In these types of cases, affected individuals must be notified in a timely manner.
Here are some examples:
- A cyber-criminal gains unauthorised entry to your organisation’s database, which contains sensitive customer information
- A device that stores sensitive customer information is either lost or stolen
- Someone within your company accidentally provides the wrong person with sensitive information
But it’s important to note that notification isn’t required in all cases. If a data breach is quickly remediated so that it’s not likely to result in serious harm, notification won’t usually be necessary.
The NDB scheme will officially go into effect on February 22, 2018 and only applies to data breaches that occur on or after that date. In other words, this wouldn’t apply to a data breach that happened prior to February 22, 2018.
Data Privacy Monitor also provides specifics into the penalties that can arise from failure to notify affected parties. They state that individuals can be fined anywhere up to $360,000 ($274,560 USD) and organisations can be fined up to $1.8 million AU ($1.37 million USD).
Carrying steep fines, the new Data Breach Notification Laws definitely aren’t something to take lightly. Even one offence could have a crippling effect on a company and even put it out of business.
This shows just how serious the Australian government is about improving cyber security and cracking down on data breaches.
Who Must Comply?
It’s simple. It applies to any business, Australian Government agency, or other organisation that’s required to keep information secure per the Privacy Act 1988.
This new law is an amendment to the original Australian law. So, if your company was required to comply with the Privacy Act 1988, it’s required to comply with the NDB scheme as well.
What’s the Principal Reason for the NDB Act?
Due to the widespread prevalence of data breaches both in Australia as well as globally, the NDB scheme is designed to increase protection levels across the board and keep sensitive information more secure.
It’s the responsibility of organisations to ensure that their customers’ information is kept safe and that they do everything possible to prevent a breach from happening.
That said, it’s inevitable that data breaches will continue to persist. But the NDB scheme provides a framework that requires businesses to respond swiftly and with maximum transparency to mitigate the damage.[Source credits: Stickman.com.au, OAIC.gov.au]
Steadfast Solutions takes care of your IT issues so you can devote your full attention to non-IT business matters with no worries or stress. Our expert IT solutions, implemented as custom-fit strategies that incorporate your inherent business objectives and operations requirements, are designed for long-range efficacy.
Get Prepared for the Effective Date of the 2018 Mandatory Data Breach Notification Laws
The Australian Government’s Data Breach Notification Laws become effective on 22 February 2018. C-Level Executives & SME business owners can get prepared now and optimize your organisation’s Business Continuity and Cyber Security Strategy by calling or emailing a Steadfast Solutions agent at (National) 1 300 659 508, IDD: +61 3 9785 4444, or firstname.lastname@example.org for more details on how to get started!
Published on 25th January 2018 by Ian Brady.