Are you prepared for the new Data Breach Notification Laws?
28 February 2018
By Richard Kemp, Watts Price Accountants
On February 22, 2018 the new Data Breach Notification Laws came into effect.
Many Australian organisations are now legally required to notify affected individuals, and the Australian Information Commissioner, of any eligible data breach affecting personal information.
Does this affect your business?
This new legislation applies to any organisation currently subject to responsibilities under the Privacy Act, which essentially includes businesses and not-for-profit organisations with an annual turnover of $3 million or more, and a number of other identified organisations specified in the Act, such as health providers, credit reporting bodies, employee associations and service providers under a Commonwealth contract) and any entity that receives an individual’s tax file number (TFN).
What is an eligible data breach?
An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (soft or hard copy documents)
- this is likely to result in serious harm to one or more individuals and
- the entity has not been able to prevent the likely risk of serious harm with remedial action
What constitutes Personal Information?
Personal information includes names, signatures, address, telephone number, date of birth, medical records, bank account details, credit information… or any other personal information about an identified, or reasonably identifiable person.
If you’re an affected organisation who suspects an eligible data breach has occurred, you have 30 days to assess the breach and determine whether notification is required.
Failure to comply with the mandatory notification regulation is viewed as “interference with privacy of an individual”, and is punishable by forced notification, public apologies, compensation payments and fines up to $360,000 for individuals and $1.8 million for organisations.
Prevention is the best medicine
All business owners, not just those deemed to be affected organisations would be wise to consider what steps they can take to prevent any potential data breaches, this may include:
- Ensuring adequate security measures are in place.
- Preparing a data breach response plan
- With the increasing threat of Cybercrime, Cyber Insurance becomes an important consideration for any business or organisation
What steps has Watts Price Accountants undertaken?
As an organisation that holds client’s TFN and other personal details we have always been overly diligent about security.
Some of the measures we use include:
- Staff training in how to identify issues, what to do & who to contact
- IT Usage Policies
- Mandatory Strong password policy
- Use of Two Factor Authentication
- Automatic security and system updates for all computers, server and our website
- Use of document destruction bags for paper documents and a fire-protected compactus for physical file storage
- Use of a Firewall to stop ransomware, encrypted threats and phishing attacks, over not only wired but also wireless and mobile networks
- Anti-virus software
- Messaging Security software
If your business needs assistance in preparing for the new Data Breach Notification Laws or just some advice on security measures in general please contact Richard Kemp our Practice Manager on 5382 3001 or via email at firstname.lastname@example.org.