On 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed, and is set to come into effect in 2018.The scale of the changes means organisations should start preparations now.
The new Mandatory Data Breach Notification law applies to public and private organisations that are already subject to the Privacy Act – this includes Australian Government agencies (excluding state and local government) and all businesses and not-for-profit organisations with an annual turnover more than $3 million. It aims to incentivise the holders of data to adequately secure or dispose of that information. It also allows individuals whose personal information has been compromised by a breach to take remedial steps to lessen the adverse impact that might arise from the breach. As a result, a number of new measures will be introduced that will require attention.
What is a data breach?
A data breach is defined as a situation where:
- There has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or
such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
- There is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
- Relevant data can include data such as personal information, credit information and tax file numbers.
- A real risk of “serious harm” can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation.
These are some of the most significant changes introduced:
Compulsory regulatory notification
In the event of a data breach, the organisation has a duty of notification to the Office of the Australian Information Commissioner (OAIC) and the affected individuals of an eligible data breach “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.”
This is a game changer. Currently, whilst organisations subject to the Privacy Act are ‘encouraged’ to notify OAIC in the event of a data breach, they have no legal obligation to do so. This will make the response to these incidents compulsory and time critical.
The amount of data may be as little as one of the above records.
Notification is deemed compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to public interest.
Under the new laws, where an organisation has committed “serious or repeated non-compliance with mandatory notification requirements”, they could be faced with penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.
Furthermore, a significant data breach to your organisation can be financially crippling. Resultant costs could range from business interruption, incident response, third party claims and legal costs, to customer notification expenses and damage to data.
These financial implications will require a systematic change of attitude for many organisations, with cyber risks and data security elevated to boardroom level.
Preparing for the new regulations
With these significant changes set to be introduced, it is important to start considering them as soon as possible. We recommend appointing a steering committee to ensure all implications of the new regulations are fully understood, and existing systems and processes are adapted to reflect the new requirements.
Running a full risk assessment can be a useful exercise. This will highlight any potential issues and enable you to take action now to avoid problems when the regulations are introduced.
Insurance could also be a consideration. Aon, together with insurers, has created cyber policies to address this exposure. As well as covering losses that may be incurred, this also ensures the right expertise is available when a data breach occurs.
But, whether or not insurance is appropriate, prudent risk managers should consider their obligations and make sure the correct processes and systems are in place ahead of the legislation coming into effect. And, given the volume of work required to comply with the regulations, starting now is essential.
How we can help
We can help you understand the implications of this legislation, and what Mandatory Data Breach Notification mean for your organisation. This may include reviewing your organisations cyber risk profile and considering your cyber insurance and incident response plan. If you would like to discuss further please contact us on 1300 639 848 or firstname.lastname@example.org