Now that mandatory data breach reporting is here, is your business prepared?
Previously, breaches of data held by businesses in Australian were either never happening or never coming to light. This is set to change now that mandatory data breach notification laws became effective on 23 February 2018 in Australia It’s still early days before we see the first business that must disclose, what would be a publicly humiliating and financially debilitating, data breach incident to the Office of the Australian Information Commissioner (OAIC) and those people that have had their data compromised. The idea behind the new legislation is so individuals can take steps to protect themselves in the event that their personal information is compromised.
Data breaches can occur in a number of ways from computer hackers breaking into a business IT system and taking customer information such as identity details, credit card numbers and the like to relatively innocent circumstances where private information is lost, for example, leaving a backup drive/disk/USB stick in a taxi, on the bus or in a car that is subsequently broken into or stolen.
While this is a protective measure to ensure big business (holding highly private information for a large amount of customers) do everything possible to protect that data, it’s not just a measure for big business… medium and some small businesses are also impacted. The new obligations apply to businesses (and Australian government agencies and not-for-profit organisations) with an annual turnover of $3 million or more, and also for smaller businesses such as private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and businesses that hold tax file numbers.
A failure to comply with the notification obligations will result in penalties plus potentially, an investigation into the incident. Penalties can be up to $1.8 million.
Amongst the things business needs to do, if they haven’t done so already are:
- Review/audit current cyber security measures,
- patching systems and updating software,
- restricting administrative privileges,
- only installing those software applications that are permitted to be present on a computer system,
- establishing and maintaining a security system,
- establish policies and procedures for steps that are to be taken in response to a data breach,for smaller businesses, consider a cyber insurance to cover costs of engaging professionals to deal with a cyber security incident.
Written by Chieftains an accounting firm that exists to help business owners increase profits and reduce risks allowing them to astutely provide for their retirement.
This article is for guidance only, and professional advice should be obtained before acting on any of its contents. Neither the publisher nor the distributors can accept any responsibility for loss occasioned to any person as a result of action taken or refrained from in consequence of the contents of this publication. Liability limited by a scheme approved under Professional Standards Legislation.