The Government’s new information security laws are now operational and have the potential to impact many businesses!
From 22 February, businesses are now required to notify affected individuals (e.g. client’s employees etc.) and also the Office of the Australian Information Commissioner (OAIC) of a data breach. In a nutshell, the new regime requires certain organisations (many businesses and Government agencies) to notify individuals likely to be seriously impacted in the event of a data breach at that organisation. These organisations include:
(a) All entities subject to the Commonwealth Privacy Act (most Government agencies and private sector organisations with a turnover of $3 million or more)
(b) Certain credits providers
(c) Credit reporting bodies, and
(d) TFN recipients.
The new legislation considers a breach to have occurred when data is accessed by unauthorised entity, and that generates a real risk of serious harm to the individuals and businesses whose personal information has been disclosed. Data breaches need not involve malicious actions from third-parties (such as theft or hacking). Rather they can also result from internal errors or process failures that cause accidental loss or disclosure. Drilling down into the details of the legislation, the remedial action that an organisation must take is in the form of a notification. Specifically, the legislation requires the above-listed organisations to notify “eligible data breaches” – which are likely to result in serious harm to any individuals and businesses to which the information relates – to the OAIC and also to the affected individuals themselves and businesses. Notification must be made as soon as possible after the organisation becomes aware that “there are reasonable grounds to believe that there has been an eligible data breach of the entity”.
Examples of an “eligible data breach” are quite wide-ranging and include when:
- A device containing a client’s personal information is lost or stolen and there is no way of managing it remotely or ensuring that it hasn’t been accessed
- A database containing personal information is hacked
- Personal information is mistakenly provided to the wrong person (staff accidentally email personal information of a client to another individual).
- There is unauthorised access to a spreadsheet containing client financial information.
If your own systems/passwords were hacked you may in the worst causes be required to notify all your clients, employees/associates and other third parties depending on the severity of the breach. The requirement to notify may therefore have a crippling effect on the reputation of your business, not to mention be an onerous process to undertake. It may also open you to civil action by these parties. Failure to comply with the legislation itself (by not making notifications where breaches have occurred) may result in fines from the OAIC (maximum $1.8 million corporations, $60,000 individuals).
Ensure your information security controls are adequate and improve them where necessary (this may involve staff training or cyber security technology upgrades etc.). Even where your business is not captured by the new regime, data security breaches can cause immense damage to you and your customers, so ensure adequate controls are in place.