Data Breach Notification Scheme
The rate of cybercrime and data breach is getting worse on a daily basis. The world has recently been shaken up from multiple Ransomware viruses and Cybercrimes events. A data breach is a serious incident where protected or confidential data has been breached, lost, stolen, seen by unauthorized individuals or a group. According to recent events, Federal Government has established a mandatory breach notification scheme in which organisations will be legally obligated to disclose data breaches inside of company.
What do you need to know?
Mandatory data breach notifications commonly refers to a legal requirement to provide notice to affected individuals and the relevant regulator when certain kinds of security incidents compromise information of a certain kind or kinds. In some jurisdictions, notification is also only required if the data breach meets a specified harm threshold. Examples of when data breach notification may be required could include a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise, where the incident satisfies the applicable harm threshold (if any).
Read full explanatory memorandum about Privacy Amendment Bill here.
When does the scheme start?
The government still haven’t clarified any specific date (commencement to be some time in 2018). According to Timothy Pilgrim, the scheme will be prepare closely with agencies and businesses over the next 12 months.
Terms of notice
Organisations are obligated to notify the Privacy Commissioner and affected customers within 30 days of the data breach incident.
Who do the legislations apply to?
The laws apply to all government agencies, organisations covered by the Privacy Act (small and large), and organisations with an annual turnover $3 million or more.
Determination of a potential data breach
A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. A data breach is an eligible data breach where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred).
What should be included in the notification and how do I notify my clients?
Data breach must be disclosed to the Privacy Commissioner and the affected client(s). Organisations must include the company’s name and contact details, also description of the breach, plus any other information linked to the data breach. The notice is to also outline the recommended preventative steps to protect against any future data breaches. Companies are obligated to notify their clients/customers via email, phone or post.
What occurs if I do not notify either government or clients?
A failure to notify or declare data breach can incur fines of up to $360 000 for individuals and $1.8 million for organisations.
To conclude, according to Timothy Pilgrim,
the new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
See also – Disguised Email Spam In Circulation
More info – HELP There’s A Trojan In My Computer
Read more – WARNING: Disguised Email Virus In Circulation
