Australian businesses turning over more than $3 million a year will be forced to notify customers of serious data breaches if the federal government successfully passes its proposed data breach legislation.
The draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, introduced at the end of last year by the Attorney-General’s Department, requires any company or government agency subject to the Privacy Act 1998 to make the notifications within 30 days.
If passed, the bill will require companies to disclose a breach within 30 days if it concerns personal information and “there is a real risk of serious harm to any of the individuals” to whom the information relates.
Smaller organisations may also be subject to the scheme (health service providers, for example, and businesses that trade in personal information, employee associations, and credit reporting bodies).
Breach notifications are important because they give individuals a chance to change their passwords, cancel their credit cards or take other preventative action before the attackers can use any stolen data against them. For a company however, acknowledging the breach can mean substantial damage to reputation and business.
Many businesses are ill-equipped to detect a breach, often not finding out until months later. Satya Nadella, the CEO of Microsoft, recently stated that breaches remain unnoticed for 229 days on average. Even then, while the company may know an intruder has accessed its systems, it might not be able to determine what – if anything – was stolen. The need to make a potentially damaging declaration in the result of a breach would act as an incentive to make sure security systems are as tight as possible.
As it currently stands, Australian businesses do not have to notify customers or the privacy watchdog of data breaches, however, they may do so voluntarily. During the 2014-15 financial year, the Office of the Australian Information Commissioner received 110 voluntary data breach notifications from government organisations and the private sector, up from 67 notifications the previous year.
Under the government’s proposed legislation, businesses will be forced to notify the Australian Information Commissioner and affected individuals if there is a “serious data breach”. The draft legislation defines a serious data breach as one that involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
Whether an individual was at risk of “serious harm” would depend on a number of factors, such as whether the information is encrypted (and how hard that encryption would be to break) and the sensitivity of the information.
The government has indicated it wants to streamline the mandatory reporting process for businesses as much as possible to reduce the impact of additional regulatory burdens.
“The government intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact,” a statement issued by Attorney-General George Brandis said.
Not complying with the law would be subject to the range existing penalties under the Privacy Act.
The government is seeking feedback on the proposed data breach legislation, with the deadline for submissions being March 4, 2016.
To better understand your requirements, contact the blueAPACHE Consulting Team.