Are you taking “reasonable steps” to protect your customer’s data? Within 12 months you will be required legally to report data breaches that occur within your business.
Review our tips on how to avoid data breaches in the first place and what will be required in the event of a data breach…
What is the Mandatory Data Breach Notification scheme?
After five years of attempts to get the Mandatory Data Breach Notification scheme up and running the Australian senate finally passed new laws last week that will make it compulsory for businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach.
Why has this passed now?
With advances in technology, businesses are increasingly holding larger amounts of personal information online, raising the risk of security breaches around personal customer information that could be “hacked” and used for identity theft and identity fraud.
An immediate notification to customers by an organisation that suffer data breaches, will allow individuals whose personal information has been compromised to take immediate steps to lessen the impact from the breach. For example, the individual may wish to change passwords or take other steps to protect his or her personal information.
How to avoid data breaches in the first place…
Security is a fundamental part of Diamond’s unique and effective managed service Technology Optimisation created with the purpose of aligning your technical environment to industry best practice on an ongoing, proactive basis.
Within the IT industry, best practice is fluid and constantly changing – new operating systems, new technologies and new threats all impact these standards. Better technical alignment to industry best practice can reduce the impact and risks from growing threats such as Ransomware and data breaches.
When does this scheme start?
Within 12 months of the scheme being passed in the senate, being April 2018
What do I need to do?
Start taking steps now to ensure your business is not vulnerable to data breaches. This is an important time to assess your choice of IT provider and ensure they are providing the right service to protect your organisation. Alternatively, you can contact us for more information on our unique and proactive managed service, Technology Optimisation, to see if our businesses would be a good fit.
What is considered a data breach?
According to the Privacy Amendment (Notification Data Breaches) Bill 2016, in some jurisdictions, notification is also only required if the data breach meets a specified harm threshold.
Examples of when data breach notification may be required could include:
- a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident),
- an accidental loss (most commonly of IT equipment or hard copy documents),
- a negligent or improper disclosure of information, or otherwise,
- where the incident satisfies the applicable harm threshold (if any).
What does this mean for your business?
The scheme applies only to government agencies and organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.
However, some exceptions apply to organisations that fall outside this range, including Child Care Centres, Private Schools and Private Sector Health Service Provider. The legislation also applies to individuals who handle and store customer’s personal information online.
What do I report if my business is breached?
In the event of an eligible data breach, an organisation entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies).
The notification must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned, and
- recommendations about the steps that individuals should take in response to the serious data breach
What if there is a breach on my service provider that holds my data?
According to the Bill, if more than one entity jointly and simultaneously holds the same particular record of personal information, an eligible data breach of one entity may also be an eligible data breach of each of the other entities.
This situation could potentially arise in cases involving outsourcing, joint ventures or shared services arrangements. For example, if one entity stores personal information in an online platform provided by another entity, and both entities ‘hold’ the information, an eligible data breach involving the information could potentially be an eligible data breach of both entities.
How can Diamond help?
Contact us today for more information on how we can work together with you to avoid data breaches through our industry recognised and award winning services – call now on 1300 307 907 or via our online contact form below.