How to navigate the new data breach regulations

Feb 8, 2018, in cyber security , by Chris Davies

SHARE

We now live in the age of information, where we have not only created a world of data which can answer any question imaginable (thanks world wide web!). To adapt to the changes in society thanks to the emergence of technology, we now store sensitive personal and business information remotely 

In essence, the context of information storage, access and distribution is changing.

After being on the sidelines of the relentless cyber attacks that took place in 2017, it seems it was only a matter of time before government regulations, such as the Privacy Amendment (Notifiable Data Breaches (NDB)) Act 2017 (which established the Notifiable Data Breaches Scheme) were implemented.   

With the regulations coming into effective as of February 2018, they will set a new governmental standards for the way a data breech of personal information is handled by organisations. These regulations mean it is now mandatory for businesses to disclose any data breech to be reported to the Office of the Australian Information Commissioner (OAIC), and affected individuals in the instance where personal data is compromised.  

A data breach is a loss for everyone, so to enable you to begin to navigate the changes we want to help you understand the new legal requirements, and how to know if your IT Partner is holding up their end 

 

First up, a break down of compliance.  

In essence, all entities that are expected to comply with the Privacy Act, are affected by the new regulations.  

By the OAIC's definition, a data breach refers to unauthorised access, disclosure or the loss of personal information that is held by an entity. With this, there are two criteria that need to be met to fall under the NDB Scheme: 

1. The breech of information is likely to cause serious harm to one or more individuals 

2. The entity responsible is unable to mitigate the risk of likely harm with remedial action 

In the elaboration above, serious harm refers to the possibility that physical, emotional, reputation, psychological or financial harm may be caused due to a breech in data.  

 

Your legal requirements in the case of a breech. 

If you were to fall into the unfortunate circumstances where a data breech meets the criteria outlined above, you are obligated to provide a statement to the OAIC, as well as all those individuals affected by the breech. In your report you are expected to include a description of the incident, the information involved, along with recommendations to the individual(s) on the steps they can take to minimise their risk of harm inflicted. 

If you are unable to establish direct contact with the individuals affects, the information must be published the entities website, with reasonable efforts taken to publicise the report.   

 

How can you prepare your business for these changes?

The first piece of advice we would give to any company who falls under this new legislation, is to speak with their legal team to ensure their company is compliant.

Next, it would be a good opportunity to reevaluate the information you collect from your customers, and whether all the information you collect is relevant and necessary, which will help you to avoid unneccessary information storage, lowering your risk. 

In addition to these, you should start a conversation with your IT Provider about the additional security options you organisation can implement, such as two factor authentication. These small adjustments will allow your organisation to enhance their cybersecurity, while giving you peace of mind. 

 

Consequences of non-compliance

On one side, there are the legal penalties that your business could face in the event that you do not comply. Specifically, you could be open to public investigation, which if liable, could mean civil penalties of up to 10,000 penalty unities  ($2.1 million). 

The other repercussion is public shaming. A breech could result in a media scandal, depending on the type of information your organisation collects.

Needless to say, neither are good for business!

 

How to know if your IT provider is holding up their end. 

For many businesses, their IT is managed by their chosen IT partner. So how do you know if they have implemented the cybersecurity measures needed to keep your data safe? 

Our advice is to ask the tough questions, and see if they are unable to give you adequate answers (that they can back up). If not, it might be time to start looking for an alternative partner... 

 

At the end of the day, information, is key (pun intended!). Whether it is being up to date on the changes happening around you, or on your current situation. And although we love providing articles that educate, please do not use this information in place of seeking legal advice if necessary.  

If you would like to speak to us on the state of your organisations cyber security, you can reach out to us here.

Chris Davies

Chris Davies

Managing Director

Passionate about the business discipline of Technology Management, and the role it should play in business growth.