Cone of Silence Lifted – Mandatory data breach notification laws to take effect

Cone of Silence Lifted – Mandatory data breach notification laws to take effect

On 22 February, new laws will require businesses who suffer data breaches to notify both the government and their customers / clients.  The consequences of a notification could be extremely damaging to businesses, and it is therefore imperative to understand the rules and to take action to protect yourself!

What is mandatory breach notification?

Mandatory breach notification is a legal requirement which will require entities to provide notice as soon as possible to the Office of Australian Information Commissioner (OAIC) and to any potentially affected individuals where there are reasonable grounds to believe that an ‘eligible data breach’ has occurred.

Does this apply to my organisation?

All businesses with an annual turnover of more than $3 million must comply.

When has an eligible data breach occurred?

An eligible data breach arises when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
  • that is likely to result in serious harm to one or more individuals; and
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

Examples of a data breach would include:

  • Providing or emailing personal information to the incorrect people (even mistakenly);
  • Contractors or employees disclosing personal information outside the bounds of their employment;
  • A company’s computer system containing customer’s personal information is hacked; or
  • Loss of data storage or a computer device which contains personal information.

What does notification entail?

When an entity experiences a data breach the first step is to contain the breach where possible and take remedial action. Where it cannot be mitigated through remedial action, it must notify individuals at risk and provide a statement to the Commissioner as soon as practicable.

What should I do?

All businesses subject to the rules should take the following steps now:

  1. Create a plan to mitigate the risks of a breach; and
  2. Consider cyber insurance to protect against the financial ramifications of such an incident.

If you would like further information regarding these matters, please contact your accountant at Hoffman Kelly who will be able to confirm whether the rules apply to your business, discuss the most likely data breaches that could occur in your business, and help you understand the financial consequences that could occur in the event of a data breach.  We can also assist with arranging cyber insurance to protect against the risk.

You can also follow the link below to the Australian Government’s publication:

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

2018-01-31T14:04:14+00:00

About the Author: