Data breach notification laws come to Australia
Privacy laws in Australia are about to change. They are being modernised to help protect individuals’ personal and sensitive information.
In February, both Houses of Parliament passed a bill to introduce mandatory data breach notification laws. When the laws come into effect sometime this year, we all will have new responsibilities.
Here’s what you need to know to help you comply and avoid large fines.
When can a data breach occur?
We are all busy, so we rely more and more on technology to get through our busy life. We use apps and systems and store more information online. We get bombarded with usernames and passwords to enter, so we do what is easiest, use a simple password that you can remember or write it on a board in case you forget. When do we think about the value of the data? Sadly, in most cases it never even crosses our mind. Do you even think about the security implications? No, I’m too busy. There are security experts out there, but many can’t convince you that there is any value behind the cost.
I’m too busy leave me alone
Are you collecting personal data about your clients? A name, phone number, and address is considered personal. In many instances we store this data in office systems, website and emails. You may get your assistant to book that travel request, so you sent them your credit card details in an email. You sell goods online so you may even store your clients credit cards on your website, or on your computer. There is so many passwords to remember so you store all usernames and passwords in a spreadsheet on a shared drive
Sounds familiar?
Whats the big deal?
Back in another timezone on the other side of the planet the ever growing black market for data theft is thriving. Hackers form China, Russia and Ukraine, are putting their skills to good use. Their skills can earn them hundreds of thousands of dollars by stealing data. There is almost no risk given the tools available to hide your identity. Even so, Australian laws don’t apply in these countries. There are so many systems out there to hack, they are easy to hack as the people that own theme are too busy to be even think about securing their systems. And besides while they sleep, I am awake. Actually, I never go to sleep because its a gold mine out there.
How do hackers make money?
Here is an example.
- Your website gets hacked through a know exploit, because most people don’t update their website software. Once its built, they think that’s all that needs to be done. Once inside your website they plant a virus, or malware so they can gain access to your hosting account details. Once they do this, they have all your emails, past and future. All this is usually done without your knowledge, and sometimes hackers collect data for months before they strike. This is because, its only a matter of time before you put in a username, password or credit card number in an email, something which is gold.
- Now they have your data and they strike by encrypting all your company’s data, on your servers, desktops and notebooks; then they demand a fee of thousands of dollars with a deadline or your data is deleted or sold;
- At this stage people usually understand whats at stake, but many don’t factor in the cost of being sued by the individuals whose personal data has been exposed.
- Now there is a third element to consider. If you have not reported the breach, a fine of $360,000 to $1.8 million may be applicable.
Being hacked is bad enough, now I risk a fine?
A data breach is defined as an incident where there has been unauthorised access to customer information, or disclosure or loss of customer information, which leads to a real risk of serious harm to the individuals concerned.
When preparing a notification for the Privacy Commissioner and affected individuals, you will need to notify those affected in the normal way you communicate with them, such as email, phone, or post, but you must take reasonable steps to do so. If you are unable to notify them personally, you can publish a notification on your website.
Penalties for failing to notify
The Privacy Commissioner can issue a written direction requiring an organisation to notify of a breach if they discover it has occurred. Penalties for non-compliance include public apologies, compensation payments, and where there’s been ‘serious or repeated non-compliance’, large fines. Individuals can be made to pay $360,000 and organisations $1.8 million.
Improving your cyber security
These new laws are an important reminder of the financial damage data breaches can cause your organisation, not to mention the harm they can bring to those whose information has been breached.
Contact Net Solutions as we take cyber-security very seriously and can advise you of the risks and help put in place solutions to help mitigate the threat of a data breach
Further Assistance
Assistance is also available via State and Federal Government agencies and other sources including:
