In February 2018, the Notifiable Data Breach (NDB) scheme came into effect in Australia, which applies to all companies big and small. The Privacy Act 1988 (Privacy Act) now requires companies to respond to data breaches. If such a breach is likely to result in serious harm to any individual whose personal information has been compromised, then organisations have data breach notification obligations.
If your company is not a large corporate, you may be unconcerned. Small-business owners have plenty of other issues to worry about. However, whilst the NDB scheme might not be as important as cashflow and remaining competitive, the reality is that the NDB scheme is here to stay.
Cybersecurity breaches are a key risk for all businesses in Australia but the mid-market is even more at risk than larger corporations. Under the misconception that cyber security prevention is prohibitively expensive, many smaller companies have not invested sufficiently in safeguarding their cyber assets and are therefore the first targets for unscrupulous criminals.
The consequences of a cyber security breach are many and frequently devastating. These include financial loss, data theft, as well as reputational damage and loss of morale and trust amongst the workforce, customers and suppliers. Now there is an additional obligation to report breaches to the Office of the Australian Information Commissioner (OAIC) under the NDB scheme.
In most cases, the person responsible for IT in your organisation may not even be aware that a cyber attack has occurred for many months or longer. In the initial response to a cyber attack, NDB obligations might not be front of mind.
Having a cybersecurity strategy is critical, particularly when it involves personal information, and not having one is akin to leaving the doors to your business unlocked. Think about all the data your business collects regarding suppliers, customers and employees. Personal information includes email addresses, phone numbers, bank accounts, gender, date of birth, job titles, investment information, Tax File numbers, health records and even details of membership of professional associations or unions. What does your business do with this information once it has been collected and how is it disposed of?
You will need to consider a number of measures, such as:
- Do you need to anonymise personal information and are you collecting it for a proper and lawful purpose?
- How do you allow people access/editing rights to their personal information?
- How do you deal with personal information received from overseas, which may be subject to special rules?
- What steps are in place to destroy or de-identify personal information once it is no longer needed or required to be retained by law?
- Do you have a response plan if a privacy data breach occurs?
Still unmotivated? Consider this: The OIAC has powers under the Privacy Act to require businesses to implement enforceable undertakings (such as improvements to systems and processes) and can impose privacy breach fines for non-compliance.
Cyber crime is unlikely to decrease over time. As our economy digitises and the Internet of Things and Artificial Intelligence become embedded in most businesses, it is now more important than ever to put a cyber-security strategy in place that deals with prevention and detection. Your strategy should also include what actions you need to take for NDB reporting if the cyber breach relates to personal information.
The good news is that this need not come at an excessive and insurmountable premium. On the contrary, cyber security prevention programs and resources have become increasingly affordable for the mid-market. The cost of not investing and its consequences far outweigh any initial outlay.
Dana Bentley, Audit Partner, KPMG Enterprise
