Earlier this year the new Mandatory Data Breach Notification laws came into effect. This means that if there is a data breach in your business, you are required by law to notify your customers, failure to do so can result in fines up to $2.1 million.
So what do you need to know?
A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation.
Examples of a data breach can include:
You need to send a data breach notification when the breach is likely to result in ‘serious harm’. Examples of serious harm include:
You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).
You have a maximum of 30 days to notify the affected parties.
The following should be included in your notification:
A staff member loses a USB containing clients’ personal information on their way to work. The USB had client’s names, tax file numbers, and financial information. The USB is not encrypted or password protected.
The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft, or to send malicious emails. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.
In this scenario the organisation has taken the correct steps to notify users of their potential breach and would not be liable for fines under the Mandatory Data Breach Notification law.
The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.