Remain up to date with the latest industry specific news, advice and updates
Mandatory Data Breach Reporting - What it is and how can you protect yourself.
All businesses and not-for-profit organisations with an annual turnover of more than $3 million, including private sector health service providers, with an annual turnover of $3 million or less, are required from 28 February 2018 to report any “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
An eligible data breach occurs when there has been unauthorised access, or disclosure of personal information, or personal information is lost in circumstances that could likely lead to unauthorised access or disclosure of information, which could lead to harm or risk to the affected individuals.
Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act, and can attract a maximum penalty of $360,000 for individuals and $1,800,000 for body corporate.
Security technology has come a long way in recent years, and in the dangerous digital world it’s simply unheard of to leave yourself vulnerable. Having security software installed to protect your data is standard practice, however if these systems fail you need to be prepared.
If you haven’t already, you should prepare a data breach response plan. This is to ensure that the right steps are taken in the case of a suspected or confirmed data breach. The plan should be in writing, so that necessary steps are taken and all staff are conscious and understand the necessary procedures.
Regular reviews and testing will keep your plan up to date and will allow you to measure its effectiveness. A breach is enough to worry about, let alone finding out your procedure is inadequate. The more in depth your plan, the more effective your team will be able to respond to a potential data breach.
It should cover things such as;
Identifying a breach.
Reporting a breach, and a process of communication for prompt notification of those involved and who is responsible to action your strategies.
A triage process – how bad is it? Including criteria to determine if a breach should be escalated to higher authorities.
A strategy to record data breaches, including those that aren’t escalated.
A post breach assessment and review of damages, processes and effectiveness of your data breach response plan.
With these new changes it is imperative to familiarise yourself with these regulations and those events included within the definition of an eligible data breach, as well as review your IT and Cyber Risk policies, procedures, preparation and insurance needs.
If you have any further questions about these changes and how they effect you, then feel free to get in touch.