Organisations will soon be legally obliged to disclose data breaches thanks to a new bill that has been passed by the Federal Government. How will these new laws impact your business? Read on to find out more.
After going through the House of Representatives last week, The Privacy Amendment (Notifiable Data Breaches) Bill 2016 made it to the Senate and was passed by the Government.
Will My Business Have To Comply With The New Mandatory Data Breach Notification Laws?
The bill applies to organisations that have responsibilities under the Privacy Act. This includes:
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
The Privacy Act also applies to some types of businesses with an annual turnover of $3 million or less so, by extension, the Data Breach Notification laws will apply to them too. These businesses include:
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies
Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also covered under the new data breach notification scheme.
What If The Mandatory Data Breach Notification Laws Apply To My Business?
The laws will come into effect within the next 12 months. Once the mandatory data breach notification scheme starts, your business will need to report any 'eligible' data breaches to the Australian Privacy and Information Commissioner, Timothy Pilgrim, and notify customers that may have been affected as soon as possible.
What Qualifies As An 'Eligible Data Breach'?
According to the bill, a data breach is classified as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure".
It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed. The Australian Law Reform Commission elaborates more on what is considered "serious harm".
In their notifications to the Privacy Commissioner and affected customers, businesses must include a description of the data breach, what kind of information has been compromised and steps that individuals can take to respond to the incident (such as telling customers to change their passwords on affected online accounts).
What Are The Penalties For Not Complying With The Data Breach Notification Laws?
As detailed in the bill, failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences:
"A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate."
Look, we know the data breach notification scheme is yet to begin and it doesn't apply to all businesses, but reviewing your company's data security to ensure that no customer data is unwittingly compromised should always be a priority.
If you've been lax with your data security policies, this is a good wake-up call that the Government is taking data breaches more seriously. Now is the perfect time to take a good hard look at how you're protecting your customer data and whether or not your security practices are adequate.