If you own a business in Australia, mark February 22 in your calendar, because the future success of your brand depends on it. That date is when the Notifiable Data Breaches amendment becomes law, meaning Australian businesses must notify their consumers when a data hack, security threat or leak has occurred at their organisation.
An “Eligible Data Breach” is when an unauthorised disclosure or access to personal information has occurred, that is likely to risk serious harm to an individual. Or when personal information is lost in circumstance likely to ensure unauthorised disclosure or access.
Up until now, organisations have been able to keep security threats silent. Now they will be under a legal obligation to disclose all breaches to the Office of the Australian Information Commissioner, within 30 days.
Just last week, Sydney financier Mike Harriot had $91,000 stolen from his bank account when hackers accessed his mobile account and posed as him in an online chat. All they needed was his date of birth and full name, and the money was gone.
It shows how easy Australian consumers can be fleeced on their life savings, and how vulnerable our businesses, both big and small are to the threat.
Data expert and Managing Director of EC Integrators, Emy Carr, says Australian business are simply not prepared for the issue, but the new law is a first step in the right direction. “We should have done it a while back. It is definitely a welcome change,” Ms Carr said. “Before, it was at the businesses’ own leisure to really notify or not notify. But we are still lagging in terms of data governance. It wasn’t even being looked at or talked about five years ago. We’re still a long way away from where we should be.”
While Ms Carr welcomes the introduction of the new law, she feels the measure is not stern enough and is simply paying “lip service” to the problem.
“It’s not like the European General Data Protection Regulation that uses easier language to understand. This is vague. A lot of it is still open to interpretation for the businesses. Just make it easy for the common person to understand.”
Come February 22, business, big and small could see their professional reputation ruined should they fall victim to a data hack or leak. Ms Carr has outlined the key points businesses must cover to ensure they are prepared.
- Suitable data governance – Make sure sensitive data and personal identifiable information is kept safe and secure.
- Analyse data collection – Look at data collection points and classify which ones need security.
- Securing access to data – Lock down who has access to sensitive data and put in correct security and restrictions.
- Recognise importance of data – Data is an asset and needs to be governed and secured.
“I would say most of Australian businesses are not prepared enough or up to standard,” Ms Carr said. “Many are at risk of losing customers. You wouldn’t want to deal with any organisation who has leaked your personal information. It would be especially damaging to small business, it could be the difference between your business surviving.”
