We’ve broken down what these new laws mean. Now it’s time for organisations to ensure they are prepared. Read More
Australia's New Mandatory Data Breach Notification Laws: Part 1In this three-part series, learn how cybersecurity has impacted Australia and how new notification rules could impact your business. By: Alex Tilley
The last 18 months have been huge for cyber security in Australia: the Australian Bureau of Meteorology was breached; the Australia Cyber Security Centre's 2016 threat report announced that CERT Australia has responded to 14,804 cyber security incidents in a 12-month period, a 25% increase from the previous 12-months; Prime Minister Malcolm Turnbull announced the investment of more than $230 million into the Australian Cyber Security Strategy over the course of four years; and finally, on the 14th of February a proposed amendment to The Privacy Act 1988 was approved by Australian parliament. This amendment brings about the introduction of eligible breach notification to Australian organisations subject to the Australian Privacy Principles (APP). This three-part series will discuss the amendment at a high level, including what it means, what organisations can do to prepare now, and the critical importance of detection and response.
In simple terms, the amendment, will only apply to organisations with a turnover of more than $3 million. If an organisation's annual turnover exceeds this threshold, it is then known as an APP entity and is subject to the Privacy Act 1988. However, there are exceptions to this rule, so if you are not sure if your organisation is an APP entity, then we urge you to visit www.oaic.gov.au to find out what the requirements are and if they apply to your organisation.
What Qualifies as an Eligible Data Breach?
So what does the amendment mean for APP entities? Let's start by defining what an eligible data breach is according to the amendment. An eligible data breach is deemed to occur where: there is unauthorised access to or unauthorised disclosure of personal information, or loss of personal information in circumstances where unauthorised access to or disclosure of the information is likely to occur; and such access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. The "serious harm" test is based on the standards of a reasonable person. If an eligible data breach has occurred, the APP entity must prepare a statement that sets out the identity and contact details of the entity, a description of the data breach, the kinds of information concerned and include recommendations about the steps that individuals should take in response to the breach. This statement must be shared with the Privacy Commissioner and the individuals to whom the information pertains. If it is not practicable to share with individuals, then a copy of the statement must be published on the entity's website. It is also possibly that fines may occur, this is at the decision of the privacy commissioner.
The Time to Implement Security Strategies Is Now
In short, if you get breached, can't detect the intrusion and subsequently cannot prevent the loss of data, you are likely going to need to report it. This can be daunting to a lot of organisations, but there is no need to panic. There is still time for organisations of all shapes and sizes to prepare and achieve a state of readiness. Provisions will come into force on a fixed date or a year after it receives Royal Assent. This will allow organisations a 'grace period' to implement security strategies before the government starts handing out fines. Parts two and three of this blog series will address steps organisations can take to improve their security and set themselves on the right course for security maturity.
There have been a number of major security events in Australia in recent times, which have been the catalyst for the introduction of eligible breach notification laws. If the amendment is passed, then APP entities who experience a breach and lose data are going to need to report the breach to the appropriate people. There will be a period given for organisations to prepare after the bill becomes law, but the timeframe is not yet clear. Now that eligible breach notification has been introduced to the Privacy act, then over time it will bring about a change in Australia's attitude to cybersecurity, and this will be a change for the better.