The Privacy Amendment (Notifiable Data Breaches) Bill passed in 2017, and from today, will require firms to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
According to the OAIC, “a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure”.
The scope for reportable breaches is wider than most realise. Unauthorised access which requires reporting is not necessarily in the realm of a devastating cyber attack — it could be an employee, an independent contractor, or an external third party.
The new scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes, businesses and not-for-profit organisations with an annual turnover of $3 million or more and TFN recipients.
Individuals and corporations that fail to comply with the notifications rules risk being fined up to $360,000 and $1.8 million respectively.
Late last month, the Australian Small Business and Family Enterprise Ombudsman, Kate Carnell, said she’s concerned businesses aren’t aware of or prepared for the new requirements.
“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared,” said Ms Carnell.
“Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches,” she said.
Ms Carnell encouraged firms to think about data in the same way they think about office space — there’s typically a hesitancy to allow unsupervised access to an office space without total trust.
“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises,” Ms Carnell said.