In just 100 days, on February 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 goes into effect, requiring all businesses in Australia to notify the Office of the Australian Information Commissioner and any impacted clients about significant data breaches. Here’s everything you need to know about this law and how it may impact your business.
Who does the law apply to?
Almost every significant sized Australian business must comply with this new law.
The law covers most Australian government agencies, businesses with an annual turnover of at least $3 million, and some smaller organisations (such those that handle health data).
It doesn’t matter if you are a for-profit, governmental, or not-for-profit organisation – if you handle personal information then you are required to secure it and have in place a standard plan to notify impacted individuals in the event of a data breach. Basically, if your organisation collects any of the following you are impacted by the revised Privacy Act:
• Credit reporting or building data.
• Personally identifiable information.
• Tax data.
What you need to do
Most companies are already taking steps to ensure compliance with measures of this act the industry standard security initiatives. If you are already taking the privacy of your clients seriously then there’s a strong possibility that your security scheme and reporting mechanism is already compliant or close to compliant with the requirements of this act. However, it will be a good idea to review the exact wording of the text with your legal team and determine if your current policies follow the new stipulations in these three categories.
Identify at-risk data
You need to urgently perform an audit to determine what data your company intentionally or inadvertently collects on your clients and customers. Carefully consider if you need the data to carry out your business operations and minimize the actual amount of data collected. After that make certain you’re using the most effective security software possible to encrypt and secure the relevant personally identifiable information.
Develop a compliant response plan
There should be three components of your response plan: identifying and closing security holes, notifying government agencies and impacted individuals, and training staff to prevent another breach (if human-caused.) There should be a stated plan with an aggressive timeline to ensure rapid notification. Remember – every day a client is not aware that his or her data has been compromised is a day when he or she is at risk of identity theft.
Include all third-party service providers that have access to your data in this process. One of the weakest points in most security systems in when the data is transferred to another group. You can mitigate some of the inherent risks this creates by making certain everyone is on board with the stated plan.
Train staff to implement your plan
Much like with fires, data breach notification and prevention should be a disaster your employees are trained to deal with. Schedule drills covering a variety of scenarios and use the results to further refine your initial plan. The best notification arrangements are those that can be handled by muscle memory.
Read more: Hacking costs hit Equifax
When does the notification obligation arise?
The notification requirement exists for when “where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals,” the legislation states.
“Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach,” the act’s explanatory memorandum says.
There are two classes of penalties for failing to adhere to the privacy act: legal and public shaming. The legal consequences include a public investigation that may result in civil penalties of up to 10,000 penalty units — equating to $2.1 million since a rise earlier this year of the value of penalty units under Commonwealth law.
The shaming consequence can be even more damaging. Failing to follow this act gives your competitors a free talking point in their marketing campaigns, “Choose Company B – We Protect Your Data, Unlike That Other Company.”
When do I tell my customers?
If an organisation covered by the regime “is aware that there are reasonable grounds to suspect that there may have been an eligible data breach” then must take reasonable steps to complete within 30 days a “reasonable and expeditious assessment” of whether there has been a breach.
If there are reasonable grounds to believe there has been an eligible data breach, the organisation must prepare a statement detailing the breach and give a copy to the Australian Information Commissioner and notify any affected individuals “as soon as practicable”.
Your notification will generally be in the manner that you usually use to contact the individual, as long as it is secure and protects their privacy. The notification needs to include the following:
- Information compromised
- The situation
- What clients should do immediately
- Your contact details
Why breach notifications and secure data best practices can be good for your image
One of the greatest challenges companies of all sizes face is showing their customers that it places their privacy above profits. A data breach, if not handled in a prompt and transparent manner, reinforces the impression that the company does not care about its clients. By proactively developing and implementing a data breach contingency plan you can mitigate the risk of this impression harming your market status.
Sergio Ferreira is CEO at PlexNet.
(This article has been updated to correct the current maximum fine for breaches and the breach notification timeline.)