The Mandatory Data Breach Notification scheme is expected to be in place within the year in Australia. This means that businesses will be legally obliged to notify the Privacy Commissioner and customers if they have experienced a data breach.
Who will it impact?
The scheme applies to organisations with a turnover of more than $3 million a year, government agencies and organisations governed by the Privacy Act. Meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.
What is a breach?
Has there been unauthorised access to, disclosure of, or loss of personal information? If so, is it likely to result in serious harm to individuals?
A breach includes events like malicious access to customers’ credit card data and/or personally identifiable information (PII); such as a hack, accidental loss of a hard drive or soft-copy documents and negligent or improper disclosure of information. Such information includes personal details, bank account & credit card data, credit reporting information, credit eligibility information, and tax file number information.
So what does your business need to know about mandatory data breach notification and how best to avoid a data breach in the first place?
Organisations who find they have been breached or have lost data will need to report the incident not only to the Privacy Commissioner but also notify affected customers within 30 days of becoming aware of a breach.
The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.
Those who fail to notify the Privacy Commissioner could face fines of $360,000 for individuals and $1.8 million for organizations as well as other penalties covered under the Act.
How to prepare:
- Ensure your organization has an up to date IT and Data Security policy
- Know where your data is and how its secured
- Appoint a data breach leader
- Develop a data breach response plan
- Both for the internal and external (Media) stakeholders
- Ensure the board/management understand the cyber security risks that apply to your business
- Evaluate the risks
- What would a breach cost your business?
- Implement best practice, business as usual data security policies
- Manage third party providers
- How are they managing your data
Will your business really be targeted?
The US based Rights Clearinghouse reported that in the first eight months of 2015 there were 120 million personal records breached globally, this is up from 70 million on 2014 figures. Cybercrime can be very costly for a business. Up to 42 per cent of data breaches are malicious or criminal attacks, according to a recent survey across 10 countries by the Ponemon Institute. Each credit card breach costs around $145 per card and the industries which are a high-risk include: finance, education, communications and healthcare.
Given the rise of cybercrime and the need to comply with Australia’s Privacy Legislation, it’s important to be proactive when it comes to protecting your customer data.
Mandatory data breach laws will result effectively in companies publicizing that they are the victims of a data breach, this could, based on recent case studies result in negative brand exposure, lost customers, lost sales and revenue, and potentially penalties and fines
If you are not sure how to find, secure and process your financially sensitive data or need some help with PCI DSS Compliance, financial Data storage or payment processing please contact us (02) 9006 6406 or contact us here.
Here is a case study highlighting how we were able to help a hotel and gaming group to catch unsecure customer credit card date before anyone else could: