Countries around the globe are putting policies in place to strengthen security and protect their citizens and business from cyber attacks. These pushes for new regulations are further proof of the increasing concern around the repercussions of data breaches as new high-profile security incidents continue to make headlines.
At this point, we are all aware of the GDPR and its impact on both European companies and companies who handle data from EU citizens. But, are you familiar of the similar legislation that Australia recently signed?
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Parliament on February 13, 2017. However, this legislation has been in the works for quite some time now. The Bill amends the Privacy Act 1988 and introduces mandatory data breach notification provisions. These provisions will require any organization that is accountable to the Privacy Act, to inform the Australian Information Commissioner and members of the public if their data has been compromised. The legislation is set to take effect in February of 2018.
Australia’s bill is primarily focused on data breach disclosure. It affects Australian government agencies as well as businesses and not-for-profit organizations with an annual turnover of more than $3 million. Here are the details in regards to the timeline Australian organizations must follow:
- Within 30 days the organization must determine whether it is an “eligible data breach.” Broadly speaking, an “eligible data breach” will occur when:
- There is unauthorized access to, or unauthorized disclosure of the information
- A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
- Next, the organization should notify the Office of the Australian Information Commissioner and affected individuals where the organization has, or suspects there are reasonable grounds to think that an “eligible data breach” has occurred.
- Finally, the consequences for failing to report an eligible data breach could result in an organization being liable for a civil penalty of up $1.8 million.
Now that we’ve covered the basics, what does this mean for Australian businesses and citizens? One major change is the explanation of what qualifies as an “eligible data breach.” In this case, eligible means people were impacted because their information may or may not have been exposed. By adding this extra measure, the Australian Government is taking care to err on the side of over-reporting. This is beneficial for Australian citizens since they will be required to be notified and therefore will be better prepared to take measures to protect themselves.
So, what are some key takeaways for businesses and security teams? As I mentioned before, Australia’s bill is another sign that severe breaches are reaching far beyond security teams. It’s always best for organizations to be proactive rather than reactive when it comes to implementing security measures. I would strongly recommend businesses reach (or even better, work to exceed) all compliance requirements applicable to them as soon as possible. When it comes to security, being prepared and staying ahead of the game is always better.