Strategic Group Blog

Everything you need to know about IT and technology

close
Written by Emily Gam
on February 26, 2018

Earlier this year the new Mandatory Data Breach Notification laws came into effect. This means that if there is a data breach in your business, you are required by law to notify your customers, failure to do so can result in fines up to $2.1 million.

So what do you need to know?

What is a data breach?

A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation.

Examples of a data breach can include:

  • A device that holds customers information is lost or stolen
  • A database storing customer information is hacked or accessed without consent
  • Personal information is sent to the wrong person

When should you send a notification?

You need to send a data breach notification when the breach is likely to result in ‘serious harm’. Examples of serious harm include:

  • Financial loss through fraud
  • Identity theft
  • Risk of physical harm, such as by an abusive ex-partner
  • Psychological harm
  • Reputational harm

How to notify users?

You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).

You have a maximum of 30 days to notify the affected parties.

What should be included in the notification?

The following should be included in your notification:

  • The personal information involved in the breach
  • A description of the data breach
  • Your contact details
  • Recommendations for steps the affected parties can take to minimise harm

Example scenario

A staff member loses a USB containing clients’ personal information on their way to work. The USB had client’s names, tax file numbers, and financial information. The USB is not encrypted or password protected.

The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft, or to send malicious emails. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.

In this scenario the organisation has taken the correct steps to notify users of their potential breach and would not be liable for fines under the Mandatory Data Breach Notification law.

The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.

 

Secure

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

News Tips Security

Optus Customers' Data Impacted by Serious Cyberattack

As you are probably aware, late last week, Optus announced it had been the victim of a cyberattack that exposed customer...

News Tips

Why using a locally sourced IT provider can change your business for the better

We’ve all been through the painful process of contacting our IT provider and being paged through to someone overseas.

News

Strengthening our team’s cyber security approach with new ISO Certifications

Operating to the highest quality standards has always been a focus for our team, and our new ISO Certifications demonstr...