Get ready for the new data breach law

Now’s the time to get to grips with the new data breach law, so that you’re prepared in case the worst ever happens.

It has been a long time coming but finally the Notifiable Data Breaches Bill 2016, which establishes a mandatory data breach notification scheme in Australia, has been passed by the Australian Senate and will become law in just eight months on 23 February 2018.

What is of concern is that I’ve already heard that there is confusion about the lack of definition around key words within the legislation, and many organisations are unclear about what constitutes a serious data breach and how and by when they should notify the Privacy Commissioner. So here are the eight things you need to know about the new law.

1. Who does the law apply to?

Any federal government agency or commercial organisation with turnover of over $3 million will have to notify the Privacy Commissioner and affected customers if their data is compromised by cyber attacks, technical failings or even human error.

However, I believe that organisations of all sizes and even those under the revenue threshold should act now and start making voluntary data breach notifications immediately, since many others are already taking responsibility for their breaches by reporting them before it becomes law.

An enterprise’s decision to notify the Office of the Australian Information (OAIC) on its own initiative is likely to be viewed by the public as a positive move. It will demonstrate to consumers that the organisation views the protection of personal information as a very serious matter, and thus can enhance public confidence in them.

2. Who do I notify, how and by when?

Breaches will need to be notified to the OAIC as soon as practicable after the organisation becomes aware that a serious data breach of personal information has occurred. However, without a stated deadline in the law, the lack of clarity as to when organisations are required to report a data breach will cause confusion and could lead to fines and reputational damage.

Although the practice is not law yet, some responsible Australian organisations have already taken the initiative to report data breaches. In 2015–16, the OAIC received 107 voluntary data breach notifications. The top five sectors during that time were:

1. Australian Government
2. Financial services
3. Health service providers
4. Retail
5. Online services

It’s important that investigations occur promptly, that documented and effective risk management policies exist and that investigations don’t go on too long. Once an incident happens, the needs of the victims must become the highest priority!

3. How do I know if a breach is serious enough?

The decision is being left to organisations to assess for themselves as to whether a serious breach has occurred, and whether it is going to pose a real risk of serious harm for the individual. These terms are not very well defined and this makes it difficult for organisations to know whether to report a breach.

5. How and when do I tell my customers?

If an organisation has informed the Privacy Commissioner, should they still inform their customers? The answer is yes, but only if they have been affected by the breach. There is no point in spreading panic amongst consumers that are not affected by the breach and potentially causing ‘notification fatigue’.

6. What happens if I don't notify a breach?

Given that non-compliance attracts fines of up to $1.8 million, organisations really do need to take this law very seriously. However, what we do not want to see is over-reporting, as that will not only swamp the OAIC with very minor breaches, but consumers could become overwhelmed with notices about breaches and start ignoring these types of communications from companies that hold personal data about them.

Once a serious breach becomes public knowledge, the reputational issues must be managed. It could be a ‘headline risk’ that affects a company’s stock price and its bottom line if it doesn’t notify the OAIC and its customers within a reasonable amount of time.

There is an additional risk that whistle-blowers will be keen to tell the Privacy Commission about offending organisations if they discover a breach that hasn’t been notified. The media will be quick to report on these breaches, particularly the first few cases once the law is in place — so beware!

8. Becoming a competitive differentiator

In this era of big data, the protection and privacy of personal information must be a primary consideration in the planning and construction of IT systems. When a company suffers a breach, it needs to urgently review its cybersecurity strategy and policies as well as its contingency plans and revise them accordingly.

Once the mandatory notification law is in place in February 2018, non-disclosure will no longer be an option. Organisations and agencies can focus on making sure that the inevitable infrastructure breaches don’t mean data breaches and, if they do, that they are containable. They can then focus on the right areas to improve best practices, work on prevention and invest in new technologies that will help them to minimise the risk of breaches due to technical failures or cyber attacks.

This may come as a surprise to many organisations, but post-breach notification and best practices will be seen in a positive light by the public — how organisations are perceived to have handled them will become a competitive differentiator. In short, having to disclose a breach will not be the end of the world for businesses, and will be regarded as a tick in their favour when handled well.

Pictured: Tim Murphy, Country Manager, Arbor Networks.

Follow us on Twitter and Facebook