With the passing of the Notifiable Data Breaches Bill, all entities will need to now report data breaches to the Australian Information Commissioner.
The essential goal of this mandatory reporting legislation is to avoid data breaches and to mitigate and limit the negative impacts when data is lost or stolen.
While the laws will give Australia some of the strictest disclosure rules in the world, this new legislation only covers Australian Government agencies and private organisations with an annual turnover of more than $3 million, the same threshold as the Australian Privacy Act introduced in 2014. However as with those Privacy Principles, small businesses can also choose to opt in to increase consumer confidence and trust in their business.
What if anything does this mean for smaller businesses?
The Office of the Australian Information Commissioner (OAIC) has developed a data breach response plan for Australian businesses including a handy data breach response plan quick checklist.
According to the OAIC, your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals.
Data breach response plan quick checklist.
1. How is a data breach identified?
2. Do your staff know what to do if they suspect a data breach has occurred?
3. Who is ultimately responsible for your entity’s handling of a data breach in accordance with the plan?
4. Who is on your response team?
5. Do you need to include external expertise in your response team, for example data forensics experts, privacy experts etc.?
6. Do they know their roles and what to do?
7. Have you set up clear reporting lines?
8. When do you notify individuals affected by a data breach?
9. Have you considered in what circumstances law enforcement or regulators (such as the OAIC) may need to be contacted?
10. Do you have an agreed approach to responding to media inquiries, including pro-active or reactive strategies?
11. What records will be kept of the breach and your management of it?
12. Does your plan refer to any strategies for identifying and addressing any weaknesses in data handling that contributed to the breach?
13. Are there any matters specific to your circumstances, for example:
• Do you have insurance policies that may apply?
• How will you keep your staff informed?
14. How frequently is your plan tested and reviewed and who is responsible for doing so?
15. Is there a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan?
The passing of the data breaches bill will see more information and processes soon released, however all Australian businesses should have a plan in place.
Data breaches are not good for public trust and they are not good for people whose personal details are compromised. Businesses have a responsibility to secure data and to maintain that secure data in a vigilant manner.
It is clear that the intent behind the legislation is to make it imperative for organisations in the private and public sectors to step up their cyber security capabilities and be more proactive in improving their monitoring, detection and reporting.
Contact us today to discuss how Compu-Stor can ensure your organisation can uphold your consumer’s right to be protected by cyber data theft in line with these new legislative requirements.