data breach

Upcoming Mandatory Reporting of Data Breach Laws

You may or may not be aware, but the Federal Government is introducing new mandatory reporting legislation around data breaches and loss of personal information, which may affect your business in the near future.

What do you need to know?

The legislation is called the Notifiable Data Breaches (NDB) scheme, and is part of the Australian Privacy Act (1988).

A website has been provided here outlining the relevant details.

At this point in time the legislation is still in draft form, but will become law on 22nd February 2018.

What this essentially means is that if your business has had $3 million turnover or more anytime since 2002, there is a good chance you may need to self report any breach in the event this occurs within your business, after this date.

What is a Data Breach?

For the purposes of the legislation a data breach can be classed as the following:

Unauthorized access of personal information occurs when personal information that a business holds is accessed by someone who is not permitted to have access.

This includes unauthorized access by an employee of the business, or an independent contractor, as well as unauthorized access by an external third party (such as by hacking).

Unauthorized disclosure occurs when an entity makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act.

This includes an unauthorized disclosure by an employee of your business.

Loss refers to the accidental or inadvertent loss of personal information held by your business, in circumstances where is it is likely to result in unauthorized access or disclosure.

For further reading and examples relating to a breach determination, please read the information outlined here: Identifying Eligible Data Breaches 

What Happens When A Data Breach Occurs?

In the event your business is faced with a data breach and you’re not exempt from the legislation; at a basic level your business must report the breach to the relevant Government department and to the individuals who’s personal data may have been compromised.

The business itself may also be required to publish statements on platforms such as websites, social media pages and / or print media which the business ‘considers reasonably likely to reach individuals at risk of harm’.

‘Risk of harm’ can be determined as a serious risk to an individual due to ‘physical, psychological, emotional, financial or reputational harm’.

Whilst there are situations built into the legislation where reporting can be avoided, failure to do so when required can result in large fines to both businesses and individuals alike.

How Can SIAX Computing Solutions Help Your Business?

Whilst it’s not possible to prevent every breach (your employee’s have the biggest role to play here), there are situations where we can add additional layers of security across your data.

This can be minimizing access to and encrypting any relevant data you hold; through to enforcing any industry required compliance and auditing measures.

For instance, whilst encryption has received a bad name due to it’s usage in Ransomware, when used correctly it potentially means that your data can be protected from unauthorized access after it leaves your network.

In the instance, you may be exempt from a reporting requirement.

Is My Business Effected By This Legislation?

The Federal Government provides a guide here to help you determine your status in regards to this legislation and if you are required to comply.

As the requirements do vary from industry to industry, it may be beneficial for you to engage with a legal representative or business adviser who can assist you to make the right determination in relation to your circumstances.

Please note: Unfortunately it is not possible for SIAX Computing Solutions to provide any advice or guidance on this determination to your business.

Following this determination, if you’d like an assessment on your network please come back to me directly over the coming weeks.

From there, we’ll work with you to determine how best we can leverage the available technology within your business and provide any necessary quotations to facilitate the required outcomes.

Conclusion

This type of legislation has been in place in both the EU and America for a number of years now and there are already some industries within Australia governed by similar laws.

However, if this is something new to you and your business you should spend time to examine the ramifications, as the outcomes could be very detrimental to your business – both financially and to your reputation, if ever affected.

If you have any questions please email me at asmith@siax.net.au or call the office on 1300 799 928 for assistance.

Thanks for your time.

Adam Smith
SIAX Computing Solution