- What are the new data breach notification laws?
- What are notifiable data breaches?
- Examples of a data breach
- Which entities does the NDB scheme affect? Is my business a part of this?
- How do I know if I have had my data breached?
- What do I do if my data has been breached?
- Your business may have other obligations when reporting data breaches
- Data breaches for certain categories of information
Phishing, ransomware and malware. They are all fraudulent ways to obtain sensitive information and data from your business. Some disguised as coming from trustworthy sites and places, others threatening your business if you do not pay up.
The recent OAIC figures found that data breaches in Australia have increased by over 700% in the last year alone (2019), with 60% of data breaches caused by malicious or criminal attacks. Surprisingly, it found that 35% of data breaches were the result of human error.
As more and more threats to your business information and data become increasingly sophisticated, the more your business needs to pay attention.
From February 2018, new mandatory notifiable data breach (NDB) laws kicked in, requiring firms to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
What are the new data breach notification laws?
The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.
Administered under the Office of the Australian Information Commissioner (OAIC), the Notifiable Data Breaches scheme states that any organisation or agency covered under the Privacy Act 1988 must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
More information on the NDB scheme can be found here.
What are notifiable data breaches?
An eligible data breach occurs when the personal information an organisation or agency holds, is lost or subjected to unauthorised access or disclosure through the following criteria –
- Unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- The result in serious harm to any of the individuals to whom the information relates to
- The entity has been unable to prevent the likely risk of serious harm with remedial action.
Examples of a data breach
Data breaches can impact both businesses and individuals negatively in many ways—costing your business money, reputational damage, and time. For example,
- When the company’s database holding personal information is hacked.
- When a device (computer, server) is lost or stolen containing customer personal information.
- Personal information is mistakenly given to the wrong person.
- Hard copies of personal records are stolen from the premises.
Which entities does the NDB scheme affect? Is my business a part of this?
If your business is covered under the Privacy Act 1988, this law is applicable to your business. Basically, all government departments and businesses with a turnover of more than $3 million have a responsibility under this Act.
There are also a range of businesses with turnovers less than $3 million included such as some health providers, credit reporting bodies or a contracted service provider to the Australian Government.
Any small business can opt-in to the Privacy Act.
Click here to find out if your business is included under the Privacy Act 1988.
How do I know if I have had my data breached?
Data breaches are obvious when you have had data or devices holding data has been physically stolen or lost.
However, digital data breaches can be harder to detect because hackers are patient and getting better at covering their tracks. The most obvious sign your data has been compromised is a ransomware screen telling you that unless you pay up, your data has been encrypted.
This article by Leapfrog, an outsourced managed IT services company, writes 12 Ways To Know If Your Business Has Been Breached. This handy list helps to make you aware of data breaches, as well as suggesting ways to keep your data safe to prevent it happening in the first place.
What do I do if my data has been breached?
Every data breach and its circumstances can vary greatly, so there is no one way to handle a breach.
Here is a procedure to help you go through the steps to minimise the harm to your business and the affected individuals, as well as ensuring your business has fulfilled its obligations to the NDB.
- Step 1. Contain the data breach to prevent any further compromise of personal information. This could include simple steps such as recovering the data if possible and suspending the activity that breached the data in the first place, changing passwords, and limiting access to the systems.
- Step 2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and what caused the breach, and, where possible, take action to remediate any risk of harm.
- Step 3. Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
- Step 4. Review the incident and consider what actions can be taken to prevent future breaches. At any time, entities should take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the NDB scheme notification obligations may not apply.
Detailed information on NDB and your obligations can be found on Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).
Your business may have other obligations when reporting data breaches
Depending on your industry and your business’ operational territory, your entity may have other obligations beyond the NDB within the Privacy Act that relate to the personal information security and data breaches.
For example, Australian businesses may need to comply with the European Union General Data Protection Regulations (GDPR), if you have an establishment in the EU, if your business offers goods and services in the EU or you monitor the behaviours of individuals in the EU.
Data breaches for certain categories of information
Your business may need to report data breaches affecting certain categories of information such as health records for individuals have been compromised may have mandatory or voluntary reporting schemes. These may include the Department of Health or the Australian Digital Health Agency (ADHA).
Conditional on your industry, other data breach reporting bodies may include – your financial services provider, the police or law enforcement bodies, the Australian Securities & Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA), the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC), the Australian Cyber Security Centre (ACSC), State or Territory Privacy and Information Commissioners, professional associations and regulatory bodies or insurance providers.
Prevention of data breaches is far better for your business. Penguin Management can help minimise your risk across the organisation through simple, inexpensive methods and procedures. If you need help assessing your business’ risk to data breaches, click here or call us on 1300 319 870.
There is a growing need for all businesses to conduct regular health checks, to not only critically assess the business’ profitability and viability but also empower decision making to safeguard long-term growth and sustainability. Does your business need a health check?
If you are considering outsourcing your payroll, you need to choose a payroll service provider who has secure systems and processes to protect the confidential information of your employees – here’s how to choose the right company to outsource your payroll.