Complying with Australia’s New Mandatory Data Breach Notification Regime
Australia has a new Notifiable Data Breaches (NDB) regime, one of the tightest in the world. Failure to comply with the new law could result in hefty fines.
As of February 22, businesses and government agencies have to notify possibly impacted individuals and the Privacy Commissioner if lost or stolen data “is likely to result in serious harm to any individuals whose personal information is involved in the breach.”
Where previously there was no obligation to report breaches, regulators must now be notified “as soon as practicable.”
Although these laws have been in the making and publically debated for ten years, research shows that most Australian businesses believe they are not prepared for the new regime (HP Australia IT Security Study, February 2018).
The best way to mitigate the impact of a data breach is, as with most threats, preparation. This involves highlighting the importance and value of data and how it is managed across the whole business. Staff need to be trained to properly handle and secure data. Businesses need to adapt to a more data-privacy conscious working environment.
Organisations need to have contingency plans in the eventuality of a data breach. These new laws have only reinforced that need. Data breach risk management is no different to general risk management or crisis management. The processes are the same, albeit overlayed with the specifics of a data breach.
Companies will need to go beyond the operational aspects of the crisis and consider communications as well. Questions companies need to ask themselves in preparing for a data breach crisis include:
· Is there a crisis management committee?
· Who/where in the company should data breaches be reported?
· Do all employees know who to report a breach to?
· Who holds the relationship with the Office of the Australian Information Commissioner?
· Are there other government agencies that may need to be informed of a data breach (or cyber-attack)?
· Do you have a matrix of stakeholders that need to be notified of a breach, when they need to be notified and who will be responsible for notifying different stakeholders?
· Do you have a media plan, holding statements and a designated spokesperson?
Transparency in the event of a data breach has proven time and time again to be highly regarded by the public. To be seen communicating during a data breach crisis can help boost confidence in the company by demonstrating that it is doing everything in its power to protect private data. How quickly it communicates and what it says during a crisis will determine how a company is perceived during and after the crisis. Protecting your reputation will depend on how much preparation has been undertaken prior to a data breach occurring.
For new business inquiries please contact Jacquelynne Willcox at jwillcox@powelltate.com
