Australia has recently enacted new legislation on the federal level to bring its data security practices in line with nations like the United States. This was initiated with the intent of streamlining international cooperation concerning data storage on a corporate level and was enacted following numerous well-documented data breaches from companies as varied as Adobe to the American credit reporting agency Equifax – See Note (1).
On February 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 goes into effect requiring all businesses in Australia to notify the Office of the Australian Information Commissioner and any impacted clients about any “data breach” under threat of severe penalty and public shaming – See Note (2). Here’s everything you need to know about this law and how it may impact your current business operations.
Who Does the Law Apply to
The short answer is nearly every business in Australia must comply. Those with annual revenue of about AU$3 million will soon be governed by this law. It doesn’t matter if you are a for-profit, governmental, or not-for-profit organisation – if you handle personal information then you are required to secure it and have in place a standard plan to notify impacted individuals in the event of a data breach. Basically, if your organisation collects any of the following you are impacted by the revised privacy act:
- Credit reporting or building data
- Personally identifiable information
- Tax data
What You Need to Do
Most companies are already taking steps to ensure compliance with measures of this act the industry standard security initiatives. If you are already taking the privacy of your clients seriously then there’s a strong possibility that your security scheme and reporting mechanism is already compliant or close to compliant with the requirements of this act. However, it will be a good idea to review the exact wording of the text with your legal team and determine if your current policies follow the new stipulations in these three categories – See Note (3).
Identify At-Risk Data
You need to urgently perform an audit to determine what data your company intentionally or inadvertently collects on your clients and customers. Carefully consider if you need the data to carry out your business operations and minimize the actual amount of data collected. After that make certain you’re using the most effective security software possible to encrypt and secure the relevant personally identifiable information.
Develop a Compliant Response Plan
There should be three components of your response plan: identifying and closing security holes, notifying government agencies and impacted individuals, and training staff to prevent another breach (if human-caused.) There should be a stated plan with an aggressive timeline to ensure rapid notification. Remember – every day a client is not aware that his or her data has been compromised is a day when he or she is at risk of identity theft.
Include all third-party service providers that have access to your data in this process. One of the weakest points in most security systems in when the data is transferred to another group. You can mitigate some of the inherent risks this creates by making certain everyone is on board with the stated plan.
Train Staff to Implement Plan
Much like with fires, data breach notification and prevention should be a disaster your employees are trained to deal with. Schedule drills covering a variety of scenarios and use the results to further refine your initial plan. The best notification arrangements are those that can be handled by muscle memory.
When Does the Notification Obligation Arise?
The notification requirement exists for all situations in which data is compromised, with the exception of situations in which these two requirements are met – See Note (4).
- The security threat has been remedied
- No credit/identity compromising information has been leaked
For instance, say your database of client phone numbers and emails was compromised. Since most people publish their numbers and email addresses online through social media this wouldn’t be considered a huge problem if you have now fixed the security issue. However, if that information also included their credit card information, then you do have to report it.
There are two classes of penalties for failing to adhere to the privacy act: legal and public shaming. The legal consequences include a public investigation that may result in civil penalties of up to AU$2.1 million.
The shaming consequence can be even more damaging. Failing to follow this act gives your competitors a free talking point in their marketing campaigns, “Choose Company B – We Protect Your Data, Unlike That Other Company.”
When Do I Tell My Customers?
You have 30 days to notify impacted individuals about the breach, how you responded to it, and the data compromised. Your notification may be in the manner that you usually use to contact the client, as long as it is secure and protects their privacy. The notification needs to include the following:
- Information compromised
- The situation
- What clients should do immediately
- Your contact details
Why Breach Notifications and Secure Data Best Practices Can Be Good for Your Image
One of the greatest challenges companies of all sizes face is showing their customers that it places their privacy above profits. A data breach, if not handled in a prompt and transparent manner, reinforces the impression that the company does not care about its clients. By proactively developing and implementing a data breach contingency plan you can mitigate the risk of this impression harming your market status.