In February 2018, new privacy laws will come into place introducing mandatory data breach notifications to inform when a data breach has occurred.
The government defines an eligible data breach if:
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates
Do these new laws apply to you?
Organisations that are required to adhere to these new regulations are those to which the Privacy Act applies:
- Australian Government Agencies
- Businesses and not-for-profit organisations with an annual turnover above $3million
- Private sector health services providers
- Educational and child care institutions
- Businesses that buy or sell personal information, including credit reporting
With financial penalties for not adhering to the legislation a maximum of $1.7 million for corporates and $300,000 for Directors, understanding your data, potential areas of risk, and having a plan in place is crucial to the financial status and reputation of all businesses that are required to adhere to these regulations.
Prepare and prevent
Should you believe that an eligible data breach has occurred on your data you will be required to carry out a reasonable and expeditious assessment of the breach and then notify the Australian Privacy and Information Commission and affected individual/s of the breach. Full details of your legal requirements can be found here.
A large component of this notification is having a plan in place to communicate and resolve the data breach as quickly as possible. All too often we see companies experience a data breach and being caught short because they were unprepared to deal with the event and the consequences, resulting in a significant cost to their business.
Given the global increase in cybersecurity events and the catastrophic harm such a breach can potentially cause your brand along with the associated revenue damage, this legislative change is a timely reminder to review your information security policies, understand how you interact with data and assess the risk to your business and your customers. We recommend reviewing four areas of your business where data is most at risk:
- Risk functions – potentially out of date functions that are focused on insurable business risks and less experienced in managing fast-evolving non-physical risks centred around a digital environment requiring a change in mindset and approach.
- The data itself - defining the data you need to protect and how it is used in order to ensure your most critical data is the focus of your information security strategy and controls.
- People and culture – aligning your risk culture to your information security policies, ownership of your systems and data at a senior level and ensuring your people are appropriately trained and aware.
- The supply chain – ensuring your 3rd party IT service and support providers have appropriate cyber security processes and controls in place.
The potential ‘crown jewels’ of data checklist:
- Research and development data
- Regulated data sets: health data, financial transaction data
- Credit card data and other payment information
- Proprietary processes
- Email server data containing the email traffic of senior team
- Trade secrets
- Personally identifiable information
- Intellectual property
- Financial information