Australia, like other countries, has not been immune to data breaches in which personal information has been exposed. The much-anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016, whereby organisations will be legally obliged to disclose data breaches, has been passed by the Australian Federal Government, and the laws will come into effect within the next 12 months. The bill applies to all Australian government agencies, businesses, and not-for-profit organisations governed by the Privacy Act with an annual turnover of more than $3 million, with some exceptions. Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act, including:
Once the mandatory data breach notification scheme comes into force, organisations will need to report any 'eligible' data breaches to the Australian Privacy and Information Commissioner, and notify customers that may have been affected as soon as possible. The government classifies a data breach as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure". It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed. When contacting the Australian Privacy and Information Commissioner about affected customers, businesses must include a description of the data breach, what kind of information has been compromised, and the steps that individuals can take to respond and protect themselves due to the incident. What if I don’t comply? Failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences. A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate. (4) What actions should I take now? If your organisation has been lax with data security policies, this is a wake-up call that the government is taking data breaches more seriously. Every organisation should begin to:
Now is the time to sit down, have these conversations, and look at how you're protecting customer data and whether your security practices are adequate. For organisations that have been reluctant to invest in information security practices, this legislation alone should not be the primary driver to protect your organisation and, ultimately, your customers’ data. As a priority, every organisation should continually review its data security to ensure that no customer data is unwittingly compromised. You should look at using a risk-based methodology for managing privacy and not wait for the law to come into effect, as the time to act is now.
Article by Sean Duca, vice president and regional chief security officer, Asia Pacific, Palo Alto Networks.