- Data breaches must now be reported to the Office of the Australian Information Commissioner
- More than 90 per cent of ASX listed businesses, government departments, and large NGOs exposed in 2016
- Breaches open businesses up to compensation claims
Australian businesses with a turnover of more than $3 million are now required to report any data breach which could seriously harm people.
The Notifiable Data Breach scheme comes into effect today, and businesses will face penalties if they don’t comply.
Previously, the Office of the Australian Information Commissioner’s (OAIC’s) guidance on data breaches required businesses to take “reasonable steps” to secure personal information, including preparing and implementing a data breach policy and response plan.
The affected individuals were to be notified only if there was a “real risk of serious harm”. In little over the past year alone, that would potentially include you if you were a customer or client of Domino’s, Medicare, Bupa, Telstra, Vodafone or Optus.
Businesses simply cannot be trusted to report breaches in good faith. In November, Bloomberg reported that Uber had paid hackers $US100,000 to conceal an October 2016 data breach that exposed the personal information of 57 million users.
The potential wider implications of data breaches are alarming. Research published by Forcepoint showed that more than 90 per cent of ASX listed businesses, government departments, and large NGOs were exposed to a data breach in 2016.
And according to accounting firm PWC, in 2015, there was a 109 per cent increase in detected security incidents in Australian companies, compared to a 38 percent global average.
The new ruling is an amendment to the Privacy Act which now requires businesses with a turnover of more than $3 million to notify the OAIC as soon as an eligible data breach occurs.
An eligible breach is a breach in which there is:
- Unauthorised access to or disclosure of personal information that could be used to harm an individual; and
- Risk of unauthorised access or disclosure, in which case the information has been lost and is in danger of being used to harm an individual
The changes sound slight and for most businesses, it will be business as usual. Michael Milnes, head of Commercial Law, Practical Law Australia, Thomson Reuters Legal Australia, says the Australian laws are still “less stringent and the penalties less severe than similar regimes in other jurisdictions”.
But businesses will have to take extra precautions not to mislead anyone using their services into thinking they have security measures stronger than they actually do.
If a breach occurs, anyone affected could potentially seek compensation under consumer protection laws.
Brian Fletcher, Symantec’s Asia Pacific director of government affairs, says the changes see in “a massive shift in where privacy sits on the priority list of both government and business”.
Fletcher said there will be “some pain” as businesses come in line and bring their privacy regimes up-to-code.
“But the benefits of doing what is right will far outweigh the reputational and financial costs of being caught out publicly,” he said.