Published Feb 12, 2018 by Xiph
For quite some time, businesses have been able to self manage their IT problems and most importantly their security breaches, when I say breaches I mean possible hackers who could be trying to get your personal information. On February 22nd those security breaches will no longer be “self managed”, as the Australian Government has finally made it so businesses are legally obliged to report such incidents, there has been many failed attempts to bring this scheme to light, many different Governments have tried but it seems that many people feel this is long overdue, considering it got support from all sides of parliament, I’d dare say that’s true. Maybe last years Australian Red Cross Blood Bank Service breach which the details of many donors were exposed online could’ve had something to do with it.
Who will this affect? The new bill applies to any organisations that have to follow the Privacy Act, this also includes not-for-profit organisations, Australian Government agencies and other businesses whose turnover is of more than 3 million. Though there are some businesses that don’t turnover more than 3 million annually who will still be affected by this, these include; Private sector health service providers, which includes gyms, weight loss clinics and alternative medical practices fall under this category. Childcare centres, private schools and private tertiary educational institutions will also be affected by this bill and lastly businesses that sell or purchase personal information along with credit reporting bodies.
The bill stipulates disclosure is required following an “eligible data breach”, which is defined by the belief an individual is at “risk of serious harm” due to the disclosure of their personal information. Some people have argued that the ability for an organisation to internally evaluate what constitutes risk of serious harm is providing an opportunity for businesses/organisations to find a loophole in the new bill by leaving it up to interpretation.
With the bill being in place there are obviously requirements businesses need to follow, which obviously means there will be penalties if they don’t, what would those requirements and penalties be? When an organisation has identified a breach they are required to notify the Privacy Commissioner and affected customers within 30 days. It’s also detailed in the bill that if a business fails to comply with the new notification scheme it will be deemed to be “an interference with the privacy of an individual” and there will be some big consequences;
“A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”
Businesses and organisations should be embracing this bill, it will allow them to find out where they should be spending their money on security and why. With businesses needing to contact the affected customers, it will help build trust and honesty. Australians now know that they do have a right to privacy and now if any of your personal information is leaked, you’ll know the parties responsible won’t be getting a slap on the wrist.
http://www.healthcareit.com.au/opinion/shell-be-right-not-long-mandatory-data-breach-notification-scheme-set-shake-healthcare – On February 22nd
https://www.alrc.gov.au/publications/51.%20Data%20Breach%20Notification/alrc%E2%80%99s-view – “risk of serious harm”
http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 – Australian Red Cross Blood Bank Service breach
Posted in: Security
Related reading
Are you at risk of identity theft?
Nov 17, 2022
Your data is not safe anywhere ─ that’s the lesson from the spate of cyber breaches impacting Australia’s biggest companies like Optus, Medibank, Australian Clinical Labs, and EnergyAustralia (so far).
Why BYOD can be dangerous for your business
Jan 07, 2017
Bring your own device (BYOD) is a trend that is gaining traction in many workplaces. It refers to businesses where employees are not given a smartphone or tablet by the company, but instead use their own personal devices for work as well as their private lives.
Are tracking devices a security risk?
Oct 20, 2022
GPS-enabled devices whether that’s apps on our phones, in-car navigation systems, fitness trackers, or shiny new gadgets like Apple’s AirTag were created to make our lives easier, but also pose a security risk for users. We cover everything below.