By Stuart Ridley, Content Strategist at Haventec
After several years of debate the Federal Government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 that tightens the rules around data breach notifications.
Mandatory breach notification will be enforced from February 2018.
Most organisations covered by the Privacy Act (including businesses with more than $3million annual turnover, government agencies and NPOs) will be legally required to announce data breaches to the Australian Privacy and Information Commissioner and all people affected by a breach.
All affected clients, customers and members will need to be alerted as soon as possible (within 30 days) if there is any risk of serious harm.
A data breach notification should be delivered through the usual expected channels – the key word is ‘expected’ – in short, whichever channel/s people are used to, to help cut the risk of people dismissing a notification as a scam.
The notification needs to include:
- Clear description of the data breach – when, where and who is affected
- Disclosure of the nature of information exposed (e.g. names and contact details)
- Instructions on what affected people need to do to respond (including recovery and/or protection)
Failure to comply with the new notification rules could lead to fines of up to $360,000 for individuals and $1.8million for organisations.
Data privacy legislation is also being updated worldwide:
- The EU General Data Protection Regulation will enter into force on 25 May 2018
- In the United States, State-owned data protection and mandatory breach legislation applies, with a national review expected in 2018
- Malaysia’s Personal Data Protection Act has been in force since 2010
- The Philippines Data Privacy Act has been in force since 2012
- Singapore’s Personal Data Protection Act passed in 2017
Robert Morrish, CEO of Haventec, notes: “Although most people know their personal identity, financial and health information is potentially valuable to hackers, their online behaviour suggests otherwise about the risks involved – or put simply, that data security is not ‘their’ problem but the responsibility of the organisations with which they transact.”
“Public trust in any organisation is instantly eroded when its supposedly ‘secure’ digital and physical environments are breached, exposing personal customer data. The personal cost to each individual might vary incident by incident, but ultimately it amounts to significant reputational damage for the organisation that allowed the breach to happen.”
Haventec has an interest in preventing data breaches happening in the first place.
While Haventec’s focus is mainly helping organisations and individuals better protect their sensitive data, we are working with our partners to help customers improve security practices overall, including:
- Who has access and how much access are they given?
- How are ongoing security behaviours monitored and responded to? (e.g. Do users have to prove trustworthiness before they are given higher access?)
- Where is data held (including with external data hosts) and who has the keys?
- How is data catalogued and identified?
- How is data handled within the organisation ‘off network’ (i.e. What are the risks of data being leaked inadvertently or deliberately by staff who have printed or copied records?)
- How is every item protected, from access point or gateway to database to individual record?
“As hackers are increasingly more efficient at outsmarting organisations’ cyber security measures, more corporate C-Suite leaders are being held to account – in the media, by their shareholders and customers, and ultimately, by their legislators,” warns Robert Morrish. “Some leaders can face criminal convictions where obvious negligence is demonstrable.”
“Yet, many organisations appear to only take data protection measures as that required by law, rather than focusing on removing breach risks. Most importantly, adhering to regulatory guidelines (or rules) for data security does not of itself render personal data as safe from intrusion and theft.”
“The published research on breaches of sensitive data indicates that most companies are not aware they have been breached and become aware of a breach months after it has occurred. The best stance is to assume that breaches will happen – and address the challenge now.”