In early 2018 certain businesses will be required to notify their customers and the Privacy Commissioner if they experience a data breach. We look at which businesses will be affected and what you’ll have to do.
It’s becoming increasingly common to hear about companies large and small experiencing data breaches. And such a threat isn’t just keeping IT experts up at night. Many SMB owners don’t have IT departments on the ready and wouldn’t know what steps to take if an attack happens. One major point of confusion is whether you are obliged to inform your customers following an attack.
New laws that have been bandied around parliament for the last five years and are finally through senate dictate that yes, certain businesses will have to report a breach both to the Privacy Commissioner and their customers.
Which businesses are affected?
The legislation applies to all businesses that are governed by the Privacy Act. That includes:
- Businesses and not-for-profits with an annual turnover greater than $3 million
- Australian Government agencies
- Private sector health services providers (including alternative medicine practices, gyms and weight loss clinics)
- Child care centres, private schools and private tertiary educational institutions
- Businesses that sell or purchase personal information along with credit reporting bodies.
What acts does a ‘data breach’ include?
Under The Privacy Amendment (Notifiable Data Breaches) Bill 2016 a data breach is defined as a situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference’. Examples provided include:
- Lost or stolen laptops, removable storage devices, or paper records containing personal information
- Hard disk drives and other digital storage media being disposed of or returned to equipment lessors without the contents first being erased
- Databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside the agency or organisation
- Employees accessing or disclosing personal information outside the requirements or authorisation of their employment
- Paper records stolen from insecure recycling or garbage bins
- An agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address
- An individual deceiving an agency or organisation into improperly releasing the personal information of another person.
What you need to do
If your business falls into one of the categories above, and there has been any unauthorised access to personal information, from 23 February 2018 you must inform the Privacy Commissioner and either your entire customer base or only those who you deem to be at risk from the breach.
Your notification must include your company name, contact details and a description of the breach. When reaching out to customers, using regular channels of communication such as email or post is recommended so that they don’t dismiss your message as spam. Finding out and passing on to your customers any recommended courses of action to protect themselves is also advisable.
Failure to comply with the new legislation can incur fines of up to $360,000 for individuals and $1.8 million for organisations!
For information about securing personal information check out the Office of the Australian Information Commissioner’s guide.