Australian businesses can no longer keep quiet about data breaches. On February 22, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017; which requires organisations to disclose data breaches with their clients, will come into effect.
Countries like the US and UK have had similar legislation for years; given the scale of past Australian breaches, like the Red Cross leaks in 2016, it’s about time we catch up. The bill would allow Australians to monitor the privacy of their personal information and take swift action if it is compromised, but there’s no denying that this will require local businesses to invest more in IT management.
Whether or not your company handles sensitive information; here’s everything you need to know.
Whom does it apply to?
The bill applies to almost every organisation under the Privacy Act; including government agencies, businesses and non-profits with an annual turnover of at least $3 million, private healthcare services, educational institutions, and small businesses that manage credit information. The Privacy Act also applies to individuals who handle tax file numbers, health records, and financial data.
When is a breach notification required?
According to the bill, a notification requirement arises when there is a likely risk of “serious harm” to any individuals following a cybersecurity incident. Serious harm, in this context, involves financial, physical, psychological, emotional, and reputational damage.
Some examples of when your clients need to be notified include an improper disclosure of financial records; an accidental deletion of private health information, and a malicious breach of a private data centre.
If you suspect a breach has occurred; you’re required to complete a “reasonable and expeditious” assessment within 30 days to assess whether any compromised files can cause harm to your clients. If there are reasonable grounds to believe there has been a breach, you must promptly inform the Office of the Australian Information Commissioner (OAIC) and any affected individuals.
The notification can be sent via email or other secure means of communication; and must include the following information:
- What was compromised – organised by file name, type of document, and a brief description of the file’s contents
- How the breach occurred – including details about what caused the breach and when it happened
- What clients should do – such as change their passwords, restore backups, and so on
- Your contact details – for customers who want more information
In cases where it is highly impractical to alert each affected individual; you will be required to publicise the details of the breach on your website or through a press release.
What are the penalties?
Failure to comply with the new mandate can lead to massive legal fines. As detailed in the bill, negligent reporting and repeated noncompliance incidents can result in a maximum penalty of $360,000 for individuals and $1,800,000 for organisations.
On top of the crippling legal fines; there’s also a good chance that customers who trust your company to keep their personal information safe will file a lawsuit against you and take their business elsewhere.
Don’t forget these are only the indirect costs of a data breach. Recent reports found that data breaches cost $139 per lost or stolen record; which doesn’t seem like much, but when you lose more than 2,000 records, the costs start to pile up.
For this reason, you should spend the next few months preparing for the notification laws, and here’s how it’s done.
Re-evaluate data management
First and foremost, you must perform a thorough assessment of your data management policies. Is all of the personal client information you store essential to your business operations? If not, consider deleting whatever you can to minimise data breach liabilities.
Next, think about where sensitive data is stored. Is it on employee desktops? On-premises servers? The cloud? Although multiple storage locations is important for redundancy; overdoing it can make auditing information security much harder, so you’ll want to keep them all in a secure environment that’s routinely monitored, like a private cloud.
It’s also important to know who has access to your data. If you don’t want front-of-house staff viewing or sharing sensitive files, you must set access restrictions and keep current records of who has access to the data.
Fortify your defences
In addition to data management, you need security software that can fend off hackers and malware. At the very least, every business should have:
- Intrusion prevention systems – to identify and stop suspicious payloads or programmes from accessing your network and files
- Encryption systems – that encode data when it’s in storage and in transit
- Multi-factor authentication – to verify logins with fingerprint scans or security codes
- Anti-phishing software – to filter out unsolicited emails that request personal information
Develop a response plan
Finally, a well-crafted incident response plan minimises the “serious harm” caused by a breach. Generally, the plan should include three components:
- A method for identifying and securing vulnerabilities
- A strategy for notifying government agencies and affected parties
- A training programme
The first part of the plan requires solutions that can instantly detect when you’ve been breached and provide quick counter-measures like software updates. The second part involves making a note of important contact details and having breach notification templates ready for employees to use. The third includes training sessions, whereby employees are taught whom to notify and how to prevent similar incidents in the future.
The important thing to take away from this is that the consequences of data breaches are now more severe than ever before, which means companies must be proactive in preventing and responding to cyber threats. But if you’re thinking this is easier said than done, think again.
Empower IT is a leading expert in cybersecurity and compliance. Whether you need security assessments, 24/7 monitoring and management, backup solutions, or encryption software, we have all the solutions and services you need to achieve and maintain compliance. Call us today to learn more about what we can do for you.