Cyber Security now on the boardroom agenda – New data breach notification laws
Cyber Security must now be on the boardroom agenda with new data breach notification laws.
A new data breach notification law passed by the Australian Federal Government means that Australian companies will soon be legally obliged to disclose data breaches. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed through the Australian senate on Feb 13th 2017 and now brings Australian law in line with reporting requirement laws with the rest of the world.
Given the number and size of recent data breaches both in Australia and globally, the new law puts cyber security firmly on the boardroom agenda. The potential impact on brand reputation, consumer confidence and the potential cost to the business dictate that cyber security become a key priority to Board Directors, CEO’s and CIO’s across Australia. And with these new laws, they only have 12 months to get it right.
What are the new reporting requirements?
Specifically, the new law states that if your organisation knows a data breach has occurred, you are required to notify the Privacy Commissioner and customers “as soon as practical”. If you believe a data breach has occurred but you are not certain, you must undertake an assessment within 30 days to determine if a breach has occurred and you need to report.
Which organisations does it apply to?
The new law applies to government agencies and businesses that are governed by the Privacy Act. Organisations excluded from the laws include state government organisations, local councils or those that turnover less than $3 million per annum.
There are some businesses that are governed by the Privacy Act but turnover less than $3 million dollars. The laws will also apply to them. Such businesses include:
- Private schools at all levels and Child Care centres
- Health services providers
- Organisations that buy and sell personal information
- Individuals that handle personal information including information such as credit reporting, tax file numbers and health records.
What is considered a data breach?
A data breach is defined in the bill as a situation where “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.
The trigger for notification is the whether the breach gives rise to the “real risk of serious harm” to the individual affected. That harm is not limited to financial risk, but also risk to their personal reputation or discrimination. This may be the case if personal medical information were to be accessed as opposed to financial information.
When do the new laws apply?
A date has not been set for when the new laws take effect. Upon passing the legislation, the Government has 12 months to set a date otherwise the laws will apply 12 months from when they receive royal assent from the Governor General.
What is the penalty for failing to notify?
Failure to comply with the laws attract a maximum penalty of $360,000 for individuals and $1.8 million dollars for corporates.
Where to from here for senior executives?
These new laws now require organisations to take a more proactive stance on cyber security – and must place it firmly on the boardroom agenda.
Data breaches can no longer be swept under the carpet, or considered a once-off. The reality is that cyber criminals are not only motivated by financial gain, but also by the publicity generated by cyber-attacks. With these new laws, data breaches are more likely to gain public attention and increase the cost to business reputation, consumer confidence and affect long-term market share. With these potential costs, now is the time to prioritise cyber security as a business issue – not just an IT issue.
If you want to know more about the impact of the laws and how you may be affected, contact us for a free consultation today.
Source: Australian Privacy Law and Practice (ALRC report 108) Section 51. Data Breach Notification