Years of data breaches and political wrangling over a data breach notification scheme have finally ended with a law.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 will require businesses to notify individuals if an "eligible" data breach occurs that may include their sensitive information. The changes to the Privacy Act focus on the potential harm a breach may cause to individuals.
Here are some of the key points, summarised by iTnews.com.au:
Who does it apply to?
Organisations currently required to comply with the Privacy Act. That is, businesses with a revenue over $3 millon/year. It does not apply to state or local governments, political parties, or businesses with revenue under $3 million/year.
When does it begin?
22 February 2018 - unless the government proclaims an earlier date.
Why was a law required?
Until now, businesses and organisations have not been required to notifiy the public if they'd suffered a data breach. However many have out of custom, respect for their customers and for professional integrity reasons. With more and more Australians finding it necessary to hand over their personal data for normal day-to-day behaviours, plus data breaches seemingly becoming a regular occurance, a push to require notification gained momentum.
What do I need to know?
Businesses operating in Australia will be required to notify individuals who may suffer "serious harm" due to a data breach. A data breach has a wide meaning; it includes unauthorised access and accidental disclosure of personal information. This includes a direct attack, or accidentally forwarding a client's payment details.
The information considered personal information includes information that identifies an individual, credit reporting information, credit eligibility information, and tax file number information.
The next key point is determining what is "serious harm". It includes serious "physical, psychological, emotional, economic, and financial harm", plus harm to reputation. Determining whether serious harm is likely is judged on whether a reasonable person would think serious harm may come to them due to the breach on a more likely than not basis.
What does my business need to do now?
If your business is covered by the Privacy Act, the changes will apply to your business and require planning. Non-compliance with this new law includes serious fines, up-to $1.8 million for businesses. Compliance with the data breach notification requirement should be reasonably straightforward.
It arguably goes without saying that data breaches, accidental or the result of a targeted breach, should be disclosed anyway. As part of good, honest IT practice.
To find out more about the Privacy Act amendments, include who must be notified and what the notification should contain, we recommend reading iTnews and perusing the Explanatory Memorandum (PDF) to the law itself.