Have you ever wondered how businesses are dealing with your personal information? Are businesses following policies and procedures when dealing with sensitive information? Are they protecting your privacy sufficiently?
Data breach was a big issue in 2017, from the Equifax to the Uber data breach. In the Uber data breach incident, the American company admitted they attempted to hide the hack where the personal information of its 57 million customers were compromised. In fact, Uber went so far as to pay the hackers $132 000 to delete the stolen information and stay silent. As more data breach incidents on high profile companies are starting to surface consumers are questioning whether businesses are rightfully informing them, or are they turning a blind eye and trying to hide the dirt under the rug.
The consequences for businesses and federal agencies when it comes to notifying you on a breach of your private information will get much more serious this year when the new mandatory notifiable data breach laws come into effect on 23 February 2018.
The new Notifiable Data Breach (NDB) scheme or the Privacy Amendment (Notifiable Data Breaches) Act 2016 amends Australia’s Privacy Act 1988. The NBD scheme makes it a mandatory requirement for businesses and federal agencies to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches.
The mandatory notification is only triggered where the breach is “likely” to result in “serious harm”. According to the federal government, the “serious harm” is “likely” if it is more probable than not. Further, the type of information compromised is taken into consideration including the sensitivity of the information involved, whether the information was protected, who may have obtained the information, and the nature of the harm that could result. Although “serious harm” is not defined in the new law, the government has stated in the explanatory memorandum that serious physical, psychological, emotional, economic, reputational or financial harm may qualify, as well as other types of serious harm that reasonably could result from the breach.
More information is provided in the explanatory memorandum here.
Businesses will have 30 days to assess the data breach and determine whether it falls under the NDB scheme. A failure to comply with the notification obligations can result to investigations and even substantial civil penalties.
Businesses and not-for-profit organisations with an annual turnover of $3 million or more will be affected. This will include credit reporting bodies, child care centres and health service providers such as your local gym.
If you a business that falls under the Privacy Act, now is the time to review and audit your current information security policies and procedures to reflect the new obligations under the NDB scheme. The OAIC also recommends that businesses affected should prepare or update their data breach response plan to ensure compliance within the timeframe provided to respond. If you need help assessing your business’ security information, get in touch today.