Australia’s new Data Breach Notification laws came into effect on 22 February 2018. This new law will require businesses that comply with the Privacy Act 1988 (Cth) to notify the Australian Information Commissioner if they experience an eligible data breach.
The following snapshot about this new law is taken from Webber Insurance Services’ website.
We live in a time where businesses are increasingly suffering data breaches, whether it is from ransomware or other viruses. This means that protecting your business from a potential loss of data can now be seen as important as protecting your business from a physical loss such as fire and theft.
So who does this law change apply to, what is an eligible data breach, what happens when a data breach occurs and how can you protect your clients and your own business from an incident occurring?
The new Data Breach Notification laws apply to small businesses and not-for-profit organisations that have had a turnover of over $3,000,000 in any financial year since 2002. If a business has not traded for a full 12 months, consideration must be given to what an estimated annual turnover will be.
Government agencies will also be required to comply with the new laws.
Generally speaking, most small businesses will not have to comply; however there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Data Breach Notification laws if it is:
The Australian Government has created a checklist to help organisations determine if they fall into any of the above categories. The checklist can be found at their website by CLICKING HERE
An eligible data breach occurs when there is:
This personal information is held by a business and a reasonable person would conclude the loss, disclosure or access of this information is likely to cause serious harm to any of the individuals to whom the information relates.
Examples of an eligible data breach include:
If a business has reasonable grounds to suspect a data breach has occurred, it must carry out a reasonable assessment within 30 days of the breach occurring. This will allow the business to identify that an eligible data breach has occurred and the correct notification process can then be followed.
However, if remedial action is undertaken and serious harm is not likely to occur, this would not be deemed an eligible data breach.
When a business has reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Commissioner must include the following information:
A template for notification has been developed by the Australian Government and is available by CLICKING HERE
The Data Breach Notification laws states that a civil penalty can be applied to a business. Individuals face a maximum fine of $360,000 and businesses $1,800,000 for serious or repeated interference of an individual’s privacy.
Businesses need to ensure they have planned adequately for the new Data Breach Notification laws, and should consider the following:
The new Data Breach Notification laws have increased the requirement for businesses to have a Cyber Insurance policy in place. Whilst Cyber Insurance is not the magical pill that solves all of a businesses’ requirements, it plays a valuable part. Cyber Insurance is a great way for a business to fund the cost of implementing your Data Breach Response Plan. To find out more about what Cyber Insurance can cover, please visit Webber Insurance Services’ website by CLICKING HERE.
To read Webber Insurance Services’ full summary about the Data Breach Notification laws, go to the blog section at their website by CLICKING HERE.