Story image

How businesses should prepare for Australia’s new mandatory data breach notification laws

19 Apr 2017

Australia, like other countries, has not been immune to data breaches in which personal information has been exposed. The much-anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016, whereby organisations will be legally obliged to disclose data breaches, has been passed by the Australian Federal Government, and the laws will come into effect within the next 12 months. The bill applies to all Australian government agencies, businesses, and not-for-profit organisations governed by the Privacy Act with an annual turnover of more than $3 million, with some exceptions. Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act, including:

  • Private sector health service providers. Organisations providing a health service include:
    • Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
    • Complementary therapists, such as naturopaths and chiropractors.
    • Gyms and weight-loss clinics.
    • Child care centres, private schools and private tertiary educational institutions.
  • Businesses that sell or purchase personal information; consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and tax file numbers; and certain other third parties.

Once the mandatory data breach notification scheme comes into force, organisations will need to report any 'eligible' data breaches to the Australian Privacy and Information Commissioner, and notify customers that may have been affected as soon as possible.  The government classifies a data breach as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure". It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed.  When contacting the Australian Privacy and Information Commissioner about affected customers, businesses must include a description of the data breach, what kind of information has been compromised, and the steps that individuals can take to respond and protect themselves due to the incident.  What if I don’t comply?  Failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences.  A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate. (4) What actions should I take now?  If your organisation has been lax with data security policies, this is a wake-up call that the government is taking data breaches more seriously.  Every organisation should begin to:

  • Review your data collection practices and policies, internal data-handling, and data-breach policies to reflect the new requirements and ensure personal information is collected and stored only when needed.
  • Audit how you are holding data and whether any sits with third parties (for example, in the cloud) on your organisation’s behalf.
  • Strengthen your cybersecurity defences. Visibility is key. This means reviewing your cybersecurity strategies and practices to ensure that steps are in place to avoid data breaches or you have outlined ways to reduce administrative errors, which could lead to a breach. For example:
    • Who has access to the data and do they need access to the data? Reducing or limiting access reduces the possibility of anyone inadvertently leaking the data or a cyber criminal getting access to data.
    • For sensitive data, think of how it could be shared. Is there the right governance in place to prevent someone from sharing or breaking a business process? Many times a process needs to be updated to ensure there is a balance between the risk and productivity.

Now is the time to sit down, have these conversations, and look at how you're protecting customer data and whether your security practices are adequate. For organisations that have been reluctant to invest in information security practices, this legislation alone should not be the primary driver to protect your organisation and, ultimately, your customers’ data.  As a priority, every organisation should continually review its data security to ensure that no customer data is unwittingly compromised. You should look at using a risk-based methodology for managing privacy and not wait for the law to come into effect, as the time to act is now. 

Article by Sean Duca, vice president and regional chief security officer, Asia Pacific, Palo Alto Networks.

‘Buy-now-pay-later’ taking consumer markets by storm
A new survey shows that young people are embracing this new method of purchasing, with over 1.5 million users in the last year in Australia alone.
Versent acquires AI specialist Contexti
Versent announced its acquisition of Sydney-based, actionable insights business, Contexti.
8x8 launches X series contact centre cloud solution in A/NZ
“With X Series, organisations throughout Australia and New Zealand can now integrate all of their employee communications and contact centre solutions on one cloud platform.”
How Australia can access the connected supply chain
"Australia’s logistics industry now needs to set its eyes on how it can go about digitalising all the areas of the traditional supply chain."
Aerohive achieves ISO/IEC 27001 cloud platform certification
Aerohive is the first cloud-managed networking vendor recognized by a global standard for commitment to information security management systems.
Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.