The next 12 months are crucial for organisations to prepare for mandatory data breach legislation with severe penalties for individuals, organisations and brands that do not comply.
On 22 February this year the Privacy Amendment (Notifiable Data Breaches) Act 2017 received Royal Assent and on 22 February 2018 the new requirements will come into effect.
“Organisations who would have previously paid no attention are now being forced to take notice”
Marking one of the most significant changes to privacy and information security in Australian history, the law affects all organisations bound by the Australian Privacy Act and resulting Australian Privacy Principles (APP).
“Organisations who would have previously paid no attention are now being forced to take notice – and now it’s urgent,” Leon Slattery, Security Portfolio manager at ICT solutions company CSA said. “The new legislation is a reality check. Many people tend to automatically connect data breaches with being hacked, but data breaches can be caused by a whole lot less.”
Examples include losing or misplacing a device, media or hardware that contains sensitive information.
“Any exposure of sensitive data to an external party is considered a breach, whether intentional or otherwise, and this could take any digital form.”
According to CSA, organisations need in the first instance to understand how the phrase “take reasonable steps to protect personal information” applies to them.
“Every organisation is different, but having an Information Security Management System (ISMS) aligned with a recognised standard or framework such as ISO 27001 is a sensible starting point,” Slattery said.
With maximum penalties of up to $360,000 for indiviudals and $1.8 million for bodies corporate, it's imperative that business leaders and boards take action, according to CSA CTO Brett Woods.
“Information security is no longer a problem isolated to Chief Information Officers and Heads of Security, and the impact of data breaches, and the impending requirement to publish any occurrences, can have a devastating impact on an organisation’s brand.”
Woods added the knock-on effect to consumer trust and confidence, corporate partnerships, and stock prices for larger companies can be significant.
Yesterday saw the release of the Australian Cyber Security Centre's 2016 survey and BAE Systems Applied Intelligence regional MD Michael Shepherd said while Australian businesses have good protections in place there is more to do be done for the protection of critical infrastructure.
“It’s worrying that just over half (51 per cent) of all organisations surveyed said they tend to be alerted to possible breaches by external parties before they detect it themselves. It’s clear that businesses need to do a better job in detecting and diagnosing threats.”
Shepherd added a crucial step in improving resilience is elevating the importance of threat intelligence and analysis within the industry; another priority is establishing a culture of information sharing between government and the private sector.
To support businesses and agencies in getting ready for the new law, the Office of the Australian Information Commissioner (OAIC) is developing guidance and organising events to help organisations understand their obligations and be prepared in 2018.
The OAIC’s Notifiable Data Breaches webpage provides more details, including how to keep informed of future consultation events. For more on the cyber security threat read our forthcoming May edition of ADM.