It’s nearing 12 months ago when the Australian federal government introduced legislation to force mandatory data breach notifications on businesses in Australia. In that time, we’ve found only a small percentage that have taken a look at their systems and processes to see if they are at risk.
Importantly, this new legislation isn’t an solely IT issue. This is a whole-of-business problem that warrants discussion and planning.
In early 2018 the legislation comes into force and nearly all businesses will be impacted. Unfortunately, many still don’t realise that they are in the firing line and potentially risk heavy fines.
Let’s briefly recap on the new legislation. If you can answer “yes” to the following, you’re going to be affected by the new legislation:
- Your business is subject to the Privacy Act.
- Your business turns over more than $3m per year
By casting the net so wide the government is taking data breaches seriously.
For your business, the definition of a data breach is fairly simple to understand. When there has been:
- Unauthorised access to any data
- Unauthorised disclosure of personal information about one or more individuals (customers or staff)
- When data has been lost and could be subject to unauthorised access or unauthorised disclosure
It’s important to note that a data breach isn’t always an outcome of a malicious attack from the Internet. You could be a victim of a data breach through a malware outbreak or through the work of an employee who has an agenda.
It’s easy for business to put this in the too hard basket. Securing your environment properly looks difficult and expensive. What if you don’t have time for this? What if you don’t have the resources to look at this? What if you don’t have the money for this?
You’re probably also thinking that a data breach won’t happen to you or that you’re business doesn’t have the profile to be found out. Right?
What are the penalties if I don’t follow the mandatory data breach laws?
Ultimately there is a financial penalty if you are the victim of a data breach. This can range from a $360,000 fine for individuals or up to $1.8m for businesses.
How can I prepare for mandatory data breach notification?
Frankly, don’t panic and don’t react. Preparing your business for the new legislation doesn’t mean you have to spend a large amounts of money from the get-go. It starts with a conversation.
You can read more about the legislation from the Office of the Australian Privacy Commissioner. They’ve put together a guide on handling security breaches.