Notifiable Data Breach Scheme in plain English

Notifiable Data Breach Scheme in plain English

Is your business affected by this new legislation?

On the 22nd of February 2018, the notifiable data breach scheme became effective. Companies are now obligated to notify the government of data breaches that are likely to result in serious harm to any individuals whose personal information was breached.

New Call-to-action

These types of data breaches can affect any sized company, even companies such as Uber. Late last year, Uber revealed that they had covered up a massive data breach of over 57 million user’s personal data that occurred in 2016 by paying the people that hacked them a substantial amount of money to delete it. The Australian government has introduced this scheme to try to protect individual’s information as well as hold companies more accountable for their actions.

The good news for businesses is that not all data breaches have to be reported. An eligible breach is only one in which it is likely to result in serious harm to any of the individuals to whom the information relates. Deciding whether the data breach is likely to cause serious harm is not an objective assessment, and therefore must be determined from the view of a reasonable person within your organisation. A data breach also does not have to be reported if you are able to rectify the breach quickly. This could mean that data was lost but was able to be recovered before any serious harm was caused. Each data breach will be different, and so a case by case decision will need to be made.

Are you affected by the scheme?

Whether you and your business are affected by this new scheme is not so straight forward and depends on a few things (which I can hopefully clear up here for you). If you are already acting under the Privacy Act 1988 (Privacy Act), you will need to be aware of notifiable data breaches. This Privacy Act includes:

  • Australian Government agencies
  • Businesses and not-for profit organisations that have an annual turnover of more than AUD $3 million
  • Private sector health service providers
  • Credit reporting bodies, credit providers
  • Any organisation that trades in personal information and tax file numbers

As always, there are some exceptions. Organisations are only obliged to report on areas that they are obliged to under the Privacy Act. For example, a small business with a turnover of under AUD$3 million, that collects tax file numbers, will only need to report on a breach of those tax file numbers, and not any other information outside of the Privacy Act.

What happens if a breach occurs?

If a data breach has occurred, the Office of the Australian Information Commissioner (OAIC) will need to be notified. A form can be found on their website that will need to be submitted as soon as the breach is identified as likely to cause serious harm. This form will need to include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned
  • recommendations about the steps individuals should take in response to the data breach

If a notifiable data breach is not reported, it can lead to fines of up to $2.1 million, so it is important to know all about this scheme and how it can affect your business.

How you can protect yourself

There are many ways you can protect your company from hackers and keep your data secure. It all begins with taking a multi-layered approach to security – there’s no single “silver bullet”.

Some key areas to address include:

  • protect the perimeter of your network – ensure you have a proper firewall to control and manage what can enter and exit your systems
  • protect the end point devices – all computers need to have proper antivirus/antimalware software installed
  • protect your cloud – any cloud platforms you use need to be secure and make sure the data is backed up adequately
  • protect your identity – use complex passwords that are unique to each site or system you access, and never share your password with anyone. You can even consider using multi-factor authentication tools
  • filter what’s incoming – this is especially important for email. Have an additional layer of protection by using a SPAM filtering service that can cut down the noise and filter out dangerous attachments or links
  • protect your web access – it can be difficult to know if a website you’re accessing is safe. Use a web filtering tool to ensure unsafe websites and content are blocked from being accessed – some of these compromised sites include malicious code which can steal information from your computer without you knowing it’s happening!
  • education – train your fellow staff members to be vigilant, especially when it comes to clicking links in email messages. You need to learn to check before you click.

This above list is by no means exhaustive.

Notifiable Data Breach Checklist download

If you are still unclear, and to give yourself the best protection, click here to see the government's information on who the data breach will affect.

If you need additional help protecting your business, you should speak to knowledgeable IT experts to ensure your data is safe.

Calvert Technologies