New Mandatory Data Breach Notification Laws: What Does it Mean For Your Business?

February 14, 2018

The new mandatory data breach notification laws which have been looming following passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 have now taken effect. As a result, the Notifiable Data Breaches (NDB) scheme has been established and officially commenced on 22 February, 2018. So, what does the NDB scheme mean for your business?

How does the NDB scheme impact your business?

The mandatory nationwide NDB scheme means that organisations must inform affected individuals in the event of a data breach. Breaches could involve unauthorised access to data, unauthorised disclosure of data, or loss of data. The scheme applies to your business if you operate under the Privacy Act and have a turnover over $3 million or if you handle sensitive or personal information.

You’re required to report a breach if a reasonable person would assess that the breach is likely to result in serious harm to the individuals involved. Serious harm could related to physical, psychological, emotional, economic and financial harm, as well as damage to reputation. There are certain exemptions to these reporting requirements so make sure you become familiar with the details of the NDB scheme if it applies to you.

What do you do in the event of a breach?

If there is a breach or loss of data that needs to be reported under the new NDB scheme, you must immediately inform the Office of the Australian Information Commissioner as well as letting affected customers know. In your notification to customers, you need to make sure you include details of the breach, the information which was involved, actions required by the customer, and your contact details.

There are serious penalties which apply if you fail to take the correct steps after a breach with the potential for $36,000 in fines for individuals and $1.8 million in fines for organisations. With that kind of money involved, you need to make sure you’re across the new changes!

What should your business do now?

With these laws in place, there is even more onus on businesses to ensure that their data is protected as customers will be made aware if there are any breaches and there are serious penalties for non-compliance.

Make sure you take the time to review your cyber security polices and develop a clear strategy to avoid breaches and minimise their impact when they do occur. It’s also your responsibility to make sure staff are aware of the new reporting requirements and work these into your policy so everyone is aware of the correct process in the event of a breach.

However, even with a robust plan in place to protect your data, there are times when a cyber-attack could occur resulting in a data breach. For this reason, it’s essential that your business has cyber liability insurance in place to protect you from the financial impact of a security breach.

If you would like to know more about cyber insurance, please feel free to contact me directly to discuss.