The Australian Government’s long-awaited Notifiable Data Breaches scheme has now come into play, legislating protections around personal data privacy and placing Australia firmly by the side of the world’s leading economies.
The result of a decade-long journey between the Australian Law Reform Commission’s report recommending mandatory data breach reporting to its passage into legislation last year, will see a massive shift in where privacy sits on the priority list of both government and business. In the long term, greater transparency in the event of a serious data breach promises to boost public confidence in how their personal data is stored, shared and handled by the businesses they transact with, and the governments they trust. In the short term, businesses should expect some pain as the new laws change the way their organisation measures risk.
But it’s not just big business that will be impacted. By introducing fresh data security imperatives for businesses with an annual turnover of $3 million and over, the new law captures Australia’s small and mid-market businesses – a growing number of which are now selling into governments and large enterprise.
As governments encourage greater procurement participation from small business, and large enterprise turn to startups to inject innovation, we will see the big end of town refurbish contracts to mitigate their own privacy risks and protect themselves from data breaches that may occur along the data supply chain and throughout the contract, not just at the point of contracting. We’re already seeing this with Federal Government contracts, in which external bodies are often required to adhere to Australian Government privacy and data security standards.
Beyond the supply chain, businesses should brace themselves for the costs associated with bringing substandard privacy regimes up-to-code. This involves staff training and awareness on how to properly secure data, and modifying business processes to be more privacy-compliant. The rising cost of a data breach and increased reporting requirements is also likely to result in increased cyber insurance uptake by private companies.
When it comes to government at a federal level, this liability threshold does not exist. The Australian Government’s health and finance portfolios have been particularly good at meeting public expectations around privacy. But as government agencies and departments move towards an open data environment, it is important that they consider not only the privacy of electonically-stored information but paper-based systems. The government has traditionally been very good at managing the security and privacy of paper-based information, but last month’s Cabinet Files incident offers a timely reminder that complacency can undo even well-practiced and mature processes, compromising extremely sensitive information in the process.
Privacy is a politically and socially charged topic, and any change will require time and refinement before it is engrained in Australian corporate and consumer culture. For example, it will be interesting to see how the many small businesses with a variable annual revenue are impacted by the $3 million threshold. But the benefits of doing what is right will far outweigh the reputational and financial costs of being caught out publicly. Privacy is about people, technology and processes all working together to ensure the security and integrity of our citizens’ personal data.
Brian Fletcher, Director of Government Affairs – Asia Pacific, Japan & Korea, Symantec
