Data Breaches – What are your obligations as a business?
You will have seen many reports about data breaches in Australia and around the world. Obviously, you want to keep your and your customers’ private data secure. However, do you know your obligations?
An important change occurred on February 22, 2018 when the Notifiable Data Breaches (NBD) scheme came into effect.
The Notifiable Data Breaches (NDB) is a scheme under the 1988 privacy act that covers the responsibilities for entities responding to a data breach. It is an obligation for organizations to notify the breached parties whenever a data breach is likely to result in “serious harm” to any individual whose personal information is involved in the breach. Serious harm includes physical, psychological, emotional, financial and reputational harm. The Australian Information Commissioner must also be notified of eligible data breaches.
What is a data breach?
A data breach occurs if there is an unauthorised access to, unauthorised disclosure of, or loss of information. Examples of data breach includes
- Data or records containing customers personal information is lost or stolen
- A database containing personal record is hacked (Page up recent breach)
- A cyber-attack that results in personal information being disclosed
- Personal information is mistakenly provided to the wrong person
- Employees browsing sensitive customer records without any legitimate purpose
Who must comply with the NDB scheme?
- Agencies and organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
- Agencies and organisations that already have obligations under the privacy Act 1988 to secure personal information.
- Entities that have privacy act obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify data breaches that affect other types of information outside the scope of their obligation.
- Regulated credit providers (banks or other credit providers).
A preparatory checklist
The following steps will help organisations to comply with the notifiable data breach regime.
- Conduct an information security audit (and fix any issues)
- Establish a data breach response team (In house team or outsource)
- Create (or update) and test your data breach response plan
- Update your internal cyber security policies and train staff
- Review key contracts with third party service providers
Chill IT manages the Essential Eight (Australian Cyber Security Centre) for clients, a prioritised list of mitigation strategies to protect their system and data against Cyber Attacks.