How does Mandatory Data Breach Reporting affect your business?

Posted on Mar 20, 2018

As of February 22 2018 new legislation took effect.

There is now new legislation on mandatory reporting of breaches which impacts all organisations and businesses in Australia. The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) establishes requirements for entities in responding to data breaches.

Who must comply with the NDB scheme?

The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

For the purposes of this mandatory reporting, a breach is defined as follows:

“data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.

A ‘data breach’ may also constitute a breach of the Privacy Act, however this will depend on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the APPs, a registered APP code”

What if we are breached?

It used to be that if you were breached the work was in cleaning up the mess that it made. Now there is the added burden of contacting any individual or organisation who may have had their information accessed or leaked. You must inform them of the breach and make recommendations as to the action they should take to protect their data. You must also report to the Australian Information Commissioner with the nature of the breach. Thus the concern over reputational damage.

A failure to report this may carry a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

What does this mean for you?

We will begin to hear more about businesses that have been breached. As a result, the scale of the problem will be better understood. However, we will also begin to avoid businesses where breaches are reported. The brand damage and the cost of clean-up is worth avoiding.

What can we do to avoid being breached?

Combo offers BizProtect Cyber as a set of products and services for the SME market place. If your business or organisation has 30 to 500 computers we have services and products to ensure your data remains safe on your network or in the cloud, giving you peace of mind that updates are reliably and regularly applied and that breach points are managed and monitored to ensure your data remains safe.

More information and advice is available:

www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

If you have any concerns about the state of your cyber security or the validity of your management processes and staff policies please don’t hesitate to contact us.