A much-anticipated change to the Privacy Act, the Notifiable Data Breaches Bill 2016, finally passed the Senate last month, ushering in a new period of digital transparency for Australian business.
Organisations who fall under the amended Privacy Act* will soon be required, by law, to notify both the Privacy Commissioner and any affected members of the public of data breaches or data losses that occur under their watch.
Businesses who fail to report an ‘eligible breach’ or choose to wilfully ignore their reporting obligations can expect fines of up to $360,000 for individuals and $1.8 million for organisations.
High stakes for business
The legislation defines a serious breach as one that occurs when:
- a third party has obtained unauthorised access to customer data
- personal information that can identify an individual has been disclosed (maliciously, accidentally or inadvertently), or
- customer information has disappeared
Furthermore, if that unauthorised breach, disclosure or loss poses a genuine risk of harm to the individuals involved then the duty of care lies with the organisation to report the matter swiftly, to contact directly those whose data may have been compromised, and to take appropriate action.
For example, if a person’s credit information or tax file number were exposed to serious risk, the organisation has 30 days to assess whether the matter is likely to result in serious harm to those affected – report the breach if it fits the proposed criteria – and take remedial action.
Security breaches need not be criminal acts
Interestingly, while most would assume that an ‘eligible breach’ refers only to a deliberate, calculated or malicious data attack – the archetypal hacker – the explanatory definition is much broader: a breach can include lost or stolen laptops, USBs or other portable storage devices, paper records that have been misplaced or stolen, and even emails that contain sensitive information sent to the wrong person.
It’s clear that this legislation is purposefully designed to place the onus on private and public institutions to ensure that they not only have the capacity to detect a data breach but that they will act expeditiously to resolve it.
According to the Australian Financial Review, the clock is ticking for companies to ‘make sure a cyber incident response plan’ is in place.
‘Every day there are reports of new incidents of unauthorised disclosures of private and personal information … Making greater transparency a legal obligation means all boards and management teams know that trying to sweep problems under the carpet is no longer an option,’ said Macquarie Telecom Group CEO David Tudehope.
La Trobe University Deputy Chancellor, Andrew Eddy, echoes this sentiment:
‘It’s good to see that we’re finally catching up with other countries. It’s important this is brought out into the open. Boards and management need to be more effective in dealing with risk and learning from each other.’
The stakes are higher now; businesses will have to apply due diligence and be more proactive when it comes to looking after customer data. ‘The issue is now mainstream,’ says Eddy.
‘It’s not a question of if, but when and how badly. We also need to realise that it’s not just about breaches of IT security; a significant portion of cybercrime is achieved through the unwitting intervention of staff being targeted – so employee awareness and training is paramount.’
One thing is clear – organisations need to move cybersecurity much higher up on the business agenda – across all business verticals. Those that don’t risk major reputational fallout as well as financial, operational and legal repercussions.
If you’re interested in cybersecurity and you have a unique skillset that you could bring to this changing industry, explore our Cybersecurity specialist degrees today.
* Most small businesses – defined as those with an annual turnover of $3 million or less – don’t fall under the Privacy Act and therefore won’t be required to comply with the new reporting requirements.