Story image

How businesses should prepare for Australia’s new mandatory data breach notification laws

19 Apr 17

Australia, like other countries, has not been immune to data breaches in which personal information has been exposed. The much-anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016, whereby organisations will be legally obliged to disclose data breaches, has been passed by the Australian Federal Government, and the laws will come into effect within the next 12 months. The bill applies to all Australian government agencies, businesses, and not-for-profit organisations governed by the Privacy Act with an annual turnover of more than $3 million, with some exceptions.

Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act, including:

  • Private sector health service providers. Organisations providing a health service include:
    • Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
    • Complementary therapists, such as naturopaths and chiropractors.
    • Gyms and weight-loss clinics.
    • Child care centres, private schools and private tertiary educational institutions.
  • Businesses that sell or purchase personal information; consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and tax file numbers; and certain other third parties.

Once the mandatory data breach notification scheme comes into force, organisations will need to report any 'eligible' data breaches to the Australian Privacy and Information Commissioner, and notify customers that may have been affected as soon as possible. 

The government classifies a data breach as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure".

It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed. 

When contacting the Australian Privacy and Information Commissioner about affected customers, businesses must include a description of the data breach, what kind of information has been compromised, and the steps that individuals can take to respond and protect themselves due to the incident. 

What if I don’t comply? 

Failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences. 

A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate. (4)

What actions should I take now? 

If your organisation has been lax with data security policies, this is a wake-up call that the government is taking data breaches more seriously. 

Every organisation should begin to:

  • Review your data collection practices and policies, internal data-handling, and data-breach policies to reflect the new requirements and ensure personal information is collected and stored only when needed.
  • Audit how you are holding data and whether any sits with third parties (for example, in the cloud) on your organisation’s behalf.
  • Strengthen your cybersecurity defences. Visibility is key. This means reviewing your cybersecurity strategies and practices to ensure that steps are in place to avoid data breaches or you have outlined ways to reduce administrative errors, which could lead to a breach. For example:
    • Who has access to the data and do they need access to the data? Reducing or limiting access reduces the possibility of anyone inadvertently leaking the data or a cyber criminal getting access to data.
    • For sensitive data, think of how it could be shared. Is there the right governance in place to prevent someone from sharing or breaking a business process? Many times a process needs to be updated to ensure there is a balance between the risk and productivity.

Now is the time to sit down, have these conversations, and look at how you're protecting customer data and whether your security practices are adequate. For organisations that have been reluctant to invest in information security practices, this legislation alone should not be the primary driver to protect your organisation and, ultimately, your customers’ data. 

As a priority, every organisation should continually review its data security to ensure that no customer data is unwittingly compromised. You should look at using a risk-based methodology for managing privacy and not wait for the law to come into effect, as the time to act is now. 

Article by Sean Duca, vice president and regional chief security officer, Asia Pacific, Palo Alto Networks.

TCS collaborates with Red Hat to build digital transformation solutions
“By leveraging TCS' technology skills to build more secure, intelligent and responsive solutions, we aim to deliver superior end-user experiences."
Twitter suspects state-sponsored ties to support forum breach
One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.
How McAfee aims to curb enterprise data loss
McAfee DLP aims to help safeguard intellectual property and ensure compliance by protecting sensitive data.
HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
2018 sees 1,500% increase in coinmining malware - report
This issue will only continue to grow as IoT forms the foundation of connected devices and smart city grids.
CSPs ‘not capable enough’ to meet 5G demands of end-users
A new study from Gartner produced some startling findings, including the lack of readiness of communications service providers (CSPs).
Oracle announces a new set of cloud-native managed services
"Developers should have the flexibility to build and deploy their applications anywhere they choose without the threat of cloud vendor lock-in.”
How AT&T aims to help businesses recover faster from a disaster
"Companies need to be able to recover and continue operations ASAP, without pulling resources from other places to get back up and running."