The Privacy Amendment (Notifiable Data Breaches NDB) Act 2017 that came into effect on February 22, 2018 means that most Australian businesses must comply with the new law. The NDB scheme applies to government agencies, not-for-profit organisations and businesses with an annual turnover of $3 million or more. It requires them to take steps to secure certain categories of personal information that are likely to result in serious harm to any individual.
However, the inaugural Canon Australia Business Readiness Index on Security found that many Australian businesses were not sufficiently up to speed on the new data breach notification laws. Smaller businesses that will be affected by the changes to the Privacy Act are typically not familiar with the new laws and how it will impact their business, with only one in five prepared for the new regulations. Only 19 per cent of businesses with 1-19 employees or 38 per cent of those with 20-199 employees were aware of the data breach notification law. This is concerning given failure to comply puts private organisations with a turnover of more than $3 million at risk of fines up to $2.1 million for non-compliance.
The study, conducted by GfK Australia in January 2018, found other worrying trends. “Only 40 per cent of businesses have six or more of the Australian Signals Directorate Essential 8 (ASD8) strategies in place and decreases to 27 per cent for small businesses with 12 per cent having no ASD8 strategies in place at all.
What is a personal information breach?
Refers to any unauthorised access or disclosure of the personal information your organisation holds. It also includes loss of information that is likely to lead to unauthorised access or disclosure.
When to notify?
The obligation to notify will apply if you have reasonable grounds to believe that: a breach has occurred, and a reasonable person would conclude that the breach is likely to result in serious harm to the person that the information relates to.
The five most common security incidences that occurred in Australia in the last 12 months were viruses, spam, malware/spyware, phishing and ransomware.
“The prognosis is clear; Australian businesses need to improve their data protection measures. Failure to do so could risk compromising confidential data, expose them to hefty fines and lead to significant reputational damage,” the report summarized.