In February 2018, new legislation for mandatory data breach notifications will be introduced as an amendment to the Australian Privacy Act. This amendment will apply to all organisations required to comply with the Australian Privacy Act 1988 and could result in penalties for non-compliance of up to $1.7M for organisations and $300,000 for Directors.
Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover of more than $3 million are required to comply with the Privacy Act, subject to some exceptions.
This Australian legislation is part of a global response to the challenges governments face in ensuring the protection of data in a rapidly changing world. Consumers need to be confident that personal information is secure, and organisations can protect their data and minimise the impact if a breach occurs. Similar changes to the European Union’s General Data Protection Regulation will come into effect in May 2018, and will apply to all organisations dealing with EU countries. The United States also has legislation for data breach reporting.
The Australian legislation applies to notification of eligible data breaches (including a suspected eligible data breach) where individuals are likely to be at risk of serious harm. Unauthorised access or disclosure of data can occur in many ways. Have you ever misplaced a USB containing company information? Has one of your team ever left sensitive paperwork ie a hard copy file, where it could be read by an unauthorised person (ie in a taxi)? Has your organisation ever had a laptop stolen? It’s not unheard of for an email to be sent accidentally to the wrong person in a contact list with an attachment containing confidential information. And then, of course, there are those emails with links intended to entice the reader to click and provide a way in to steal valuable information.
Human error is impossible to remove completely, but the likelihood of error can be managed. Do you have the necessary policies and procedures in place stating clear expectations to support your people?
If your organisation has responsibilities under the Privacy Act then in four months’ time, you will be required to take specific action. When reporting a data breach:
- You must undertake a thorough exploration of the impact of the breach, and document your assessment
- The Office of the Australian Information Commissioner (OAIC) must be notified
- Reasonable attempts must be made to notify the individuals likely to be at risk or harmed, including recommendations on what those individuals could do in response to the breach.
Given the global increase in cyber security events and the impact to reputation and profitability we suggest that you:
- Ensure your security policies and procedures are well written, up to date, proven and supported by awareness campaigns
- Ensure your team members are educated on what constitutes a data breach (or suspected breach) and the steps they need to follow
- Have a procedure in place for managing a security incident, as well as documentation identifying your most sensitive data
- Discuss your policies and procedures with third party suppliers or other partners so that you are confident they have the required processes and controls in place.
These proactive steps will help you to plan and then to respond if such a security event occurs. From the time you become aware of the data breach (or suspected breach) you have 30 days to complete your assessment. There are exceptions to the timeline in the legislation, but being in a position to quickly implement a proven process, take remedial actions and contain likely harm to individuals, all demonstrate diligent action, well thought out risk management and the respect your organisation has for personal information.
The human factor is considered one of the highest risks when it comes to security of information. However, well written policies and procedures, effective education and a proactive culture of security awareness and responsibility, can turn the human factor into a powerful influence to minimise risk. Make sure your people are aware of their responsibilities and the process to report a breach.
Be proactive, reduce risk and protect your information. Don’t wait until a data breach has occurred – it may be very costly.
Published on LinkedIn, Oct 2017