8 Things You Must Do Now To Protect You & Your Business Under The Brand New Australian Data Breach Privacy Laws
Yesterday, the Australian Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
This means that Australian organisations will now have to publicly disclose any data breaches.
Penalties for non-disclosure range from $360,000 for responsible individuals to $1.8 million for organisations.
Forget the fines, if the world found out you were responsible for a data breach, what would that do to your business reputation? Are you the responsible person?
Who does it affect ?
Just about all Australian businesses and non-profit organisations:
- Revenue > $3m p.a. – all organisations
- Revenue < $3m p.a. :
- Businesses that sell or purchase personal information along with credit reporting bodies
- Child care centres, private schools and private tertiary educational institutions.
- Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
When does it start ?
Any day - as soon as the new law is signed by the Governor General.
What is a data breach?
A breach occurs where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals
AND this event could allow serious harm to an individual :
- Financial harm that could allow identity theft or fraud (e.g. Loss of financial data, credit card information, etc.)
- Any other harm that, if the information was disclosed, could be deemed sensitive by that person and may subject them to discriminatory treatment, humiliation or damage to their reputation (e.g. health and other private information)
- Harm may be physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation
Who do you have to Notify ?
- All affected customers
- and the Government Privacy Commissioner
- within 30 days of any breach or data loss.
You’ll need to disclose what information was involved. This could include personal details, credit card information, credit eligibility information, and tax file numbers.
You’ll also need to advise the customers what they should do to protect themselves.
Penalties per non-disclosure range from $360,000 for individuals to $1.8 million for organisations.
What Must I do NOW?
- Inform and train all of your staff on the new responsibilities
- Document all systems that your staff may be using to store any customer data (including all those cloud systems – what about Dropbox, Google Docs, Slack, Amazon Web Services,etc.)
- Do you know exactly what is stored and where?
- Which systems store personal or financial data ?
- Are their security protocols designed for businesses and consistent?
- Can you control access to these systems?
- Can you audit activity in these systems?
- Will you even know if a data breach occurs? Ignorance is no defence
- Will you be able to report fully and in time? Slow systems are no defence
- All data breached must be disclosed within 30 days.
- Can you control the transfer of data in and out of these systems?
- Analyse if any of your services are private in nature?
- Do your customer’s care if the public find out they are using your services?
- Create a Data Storage and Archiving policy so your staff know where and how to store data.
- Create a Data Protection and Security policy for your organisation so only the right people have access to the data.
- Prepare and distribute a Response and Notification Plan for when an incident occurs:
- What will you tell customers and the Privacy Commissioner?
- Who will tell them?
- How will you tell them?
- Do you know what is good advice to protect them after a breach?
- Perform Test Data Breaches
- Check your insurances about your protection and liability requirements.
If you need help with this, contact your professional Business Technology Adviser who should have the systems ready now to prepare and protect you.
If you require any assistance, call us to arrange a Data Security Audit at 1300-SENSIBLE (736-742) or email : firstname.lastname@example.org