Mandatory Data Breach Notification – Is Your Business Prepared?
Data Breach Overview
The threat of data breach has never been greater and while many organisations grapple with the issue of trying to secure their data, others do not have enough incentive.
This past decade has seen some very high profile data breaches. 100’s of millions of individual Personally Identifiable Information (PII) made public.
It’s hard to gauge the total number of data breaches as many go unreported, there is however sufficient information to indicate that the number of breaches are rising consistently. For the year 2011-2012 the Office of the Australian Information Commissioner (OAIC) reported an 18% increase in voluntary breach notifications 1. The annual Verizon data breach investigations report continues to show increase in these numbers, with comprehensive industry and threat specific trend data. 23
Privacy Amendment (Notifiable Data Breaches)
In 2012 the OAIC made submissions to the Attorney General’s Department to raise the issue of incentive for organisations to secure the data they hold and protect the privacy of the individuals that own that data; in the current arrangement of voluntary data breach notification, organisations can simply choose not to notify. In their submissions the OAIC made recommendations in support of the introduction of mandatory data breach notification legislation.
In 2016 the Privacy Amendment (Notifiable Data Breaches) Bill was passed, which establishes a mandatory data breach notification scheme, the legislative changes will come into effect on the 22 of February 2018. 4
What You Need to Know
If your organisation is covered by the Australian Privacy Act of 1988 (Cth) 5 or has voluntarily adopted the Australian Privacy Principles (APP) 6 you will be obligated under the new legislation to notify the OAIC and all persons whose data may have been exposed.
Preventing Data Breaches
Basic and fundamental information security practices are the most effective way to safeguard the data under your protection 7, having to deal with the fallout of a notifiable data breach may be far more costly to your business than simply reviewing your current security posture and implementing some controls to address any identified issues.
If this is an area of concern for your organisation and you find that you are obligated under these changes, please contact The Digital Foundry’s security team for an obligation free consultation.