Mandatory data breach notifications: What does the new scheme mean for Australian businesses?

Following numerous attempts, Australia now has a mandatory data breach notification scheme in place via the government’s Privacy Amendment (Notifiable Data Breaches) Bill 2016, which has been passed into law as the Privacy Amendment (Notifiable Data Breaches) Act 2017. The law requires businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach, so your business should put a data breach plan in place now.

When will this come into place?
There is no official start date for the scheme yet but the law will automatically become enforceable 12 months from when it receives royal assent from the governor-general, which is a formality. The government can set an earlier date for the law to become enforceable by Proclamation, so it’s important for businesses to stay up to date.

Who will be affected?
The legislation covers all government agencies and organisations currently governed by the Privacy Act and excludes state government organisations and local councils, as well as businesses with a turnover of less than $3 million per year.
Organisations that don’t properly notify all relevant parties of a breach can be fined up to $360,000 for an individual and up to $1.8 million for an organisation.

Why is the scheme so important?
Privacy and the security of personal information has become a hot-button issue for businesses and consumers. The increased amount of personal information that organisations collect can put people at risk of identity fraud, which can cause reputational damage and financial losses. Now that it has become mandatory to report data breaches, businesses that are entrusted with this data will also face the consequences of a data breach. This will, ideally, make organisations more aware of the value of the data you hold and more diligent about protecting that data.

In the United States, where breach notification regulations have been in place for some time, the health industry alone averaged at least one reportable data breach per day. 2017 has already seen more than 30 breaches since January, with the largest single incident involving 220,000 patient records.

Should your organisation have a data breach notification plan?Consumers are increasingly trusting businesses with the most personal of data, from their medical history to their banking details. Therefore, even if your business isn’t covered by the Privacy Act you should still put a plan in place to address data breaches; it just makes good business sense to be able to assure customers and partners that their data is safe.

A comprehensive data breach notification plan should include

  • a definition of what constitutes a notifiable breach
  • a strategy for detecting data breaches, assessing their severity, and containing them
  • a reporting hierarchy that determines who is authorised to take action
  • a communications strategy for notifying relevant people as clearly and quickly as possible
  • a recording process so the business can analyse the types of breaches (or attempted breaches) that have occurred so it can put appropriate security measures in place
  • a de-briefing process that reviews the nature of the breach, how it happened, how it was dealt with, and what is required to prevent similar breaches in future.

Having a clear plan in place to deal with breaches offers two benefits. First, it ensures your organisation complies with all relevant Privacy Act requirements. Second, it helps your organisation strengthen its security posture to minimise the risk of further attacks.

Talk to information security professionals to get practical advice on how to harden your environment. It is possible to reap the economic benefits of moving data storage to the cloud without putting data at risk as long as you take the right approach. The right solution will provide real-time data visibility so you know exactly what’s happening with data at any given moment, making it easier to identify, address and, if necessary, report on breaches.

Contact Aleron today to see how we can help you develop and implement a data breach notification plan.