The Government’s new Mandatory Data Breach Notification Law came into effect on 22 February 2018. If you are a business that handles client personal details, 信用信息和tfn, 你会受到影响.
According to cybersecurity experts, more than 5 million personal records are stolen globally every day. Data breach activity continues to escalate in Australia, 与Equifax, Uber and the public service being some of the biggest breaches of 2017 and many smaller breaches going unreported.
It’s not surprising that the Government has taken legislative action to get this problem under control. 在两党的支持下, the new Mandatory Data Breach Notification Law is expected to take effect from 22 February.
We summarise the changes and how businesses may be affected below.
Your obligations under the new law
If a data breach fits the eligible criteria below, within 30 days of becoming aware of the breach you must:
1. Alert the Australian Information Commissioner of the incident.
2. Notify the affected person(s) of the data breach.
如果不遵循这些步骤, incidents can attract a maximum penalty of $360,个人1万美元,个人1万美元.机构:800万.
What type of data breaches must be reported?
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
An ‘eligible data breach’ triggers notification obligations. An ‘eligible data breach’ is one that is likely to result in serious harm to any of the individuals to whom the information relates. It must satisfy the following three criteria:
1. There is unauthorised access to or disclosure of personal information, or a loss of personal information, 一个实体所拥有的
2. This is likely to result in serious harm to one or more individuals
3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
新法律适用于谁?
Your business is affected if you are:
- 一个组织(都是盈利性的) & 非营利性) 营业额超过300万美元
- 有人员流动的组织 less than $3 million if you handle sensitive information like client personal details, credit information and 税 File Numbers.
例子包括:
- Health services providers like GPs and medical specialists
- 健身房
- 托儿中心
- 信用报告机构
- 澳门官方赌场
- Retailers who offer store loyalty programs.
What can businesses do to prepare?
有了这个变化, it’s advisable to review your privacy policies, practices and procedures to reduce the risk of a major breach. Note that the majority of data breaches are linked to employee negligence so many breaches can be prevented by simply educating your staff on cybersecurity best practices. 这些包括:
- Creating strong passwords and ensuring that staff routinely change those passwords
- Understanding how to identify phishing attempts
- Setting limits on the types of information staff can share through email and on social media
- Establishing a series of steps to follow if staff feel that information has been compromised.
请看我们的文章 Cybersecurity isn’t just an IT problem for more advice on quick wins to improve your information security.