On 13 February, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced. This is the Federal Government’s latest iteration of the long-anticipated mandatory data breach notification law, which aims to help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.
This Bill defines an eligible data breach as where either there is unauthorised access to, disclosure or loss of information, where the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.
As a result, once the legislation comes into effect (expected within 12 months), it will be mandatory to disclose any case where there are reasonable grounds to believe an eligible data breach has occurred. Businesses must advise the Privacy Commissioner and contact all individuals whose data may have been compromised – supplying call centre details and providing public notifications. Individuals have a right to query what information was leaked.
Even if you’re not yet sure whether the relevant circumstances amount to an actual eligible data breach, you must conduct an investigation within 30 days of becoming aware of the reasonable grounds for suspicion. Failure to comply constitutes an interference with the privacy of an individual, resulting in severe penalties.
BDO and AusCERT’s recent Cyber Security Survey highlighted just how few businesses are ready for these mandatory disclosures. Some 48 per cent of respondents indicated that they have cyber incident response plans in place and 41 per cent indicated they have a cyber incident response team or capability in place to respond to cyber incidents. Only 49 per cent of respondents indicated that they provide cyber risk reporting to the Board and executives.
If the leaders of the businesses are not aware of the increased cyber risks and threats, and the business don’t have effective cyber incident management plans and arrangements in place, how prepared are they to effectively report and managed a cyber breach against the new data breach legislation? Senior executives are ultimately accountable for any breach and this accountability will only increase now as a result of the new regime and increased transparency.
There is no doubt that cyber-attacks and data breaches will continue to increase in frequency, complexity and sophistication. It is vital that organisations work to improve their overall cyber resilience by having a Cyber Incident Response Plan in place to respond to and report on cyber-attacks as quickly as possible. Without such a plan, adhering to the new legislative requirements will be very challenging and businesses could find themselves wrong-footed by an unsuspecting attack.
Leon Fouche, National Leader for Cyber Security, BDO Australia
