Are you Aware of the New Cyber Security Legislation?
By Ron Cohen
9 February 2018
Cyber security is a growing issue that has affected a range of stakeholders, including governments and corporations. Just last year Uber admitted to a massive hack of 57 million users’ data. Cyber crime is becoming increasingly sophisticated and can affect every business.
As a result, the Australian government has now introduced new legislation which comes into effect on 22 February 2018. The Notifiable Data Breaches Act which amends The Privacy Act, will impose increased reporting obligations for data breaches that could result in serious harm to individuals.
Cyber Security and the Notifiable Data Breaches (NDB) scheme
The new legislation creates the Notifiable Data Breaches (NDB) scheme, which forms part of a government initiative to deal with the growing amount of cyber security crime. It places added obligations on businesses to report any cyber security breach, meaning businesses have greater responsibilities when dealing with personal information of customers and employees that they store.
Businesses under this scheme will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and all individuals who may be affected by such data breach.
Where an entity is aware that there are reasonable grounds of an eligible data breach, it must prepare a statement containing its contact details, details regarding the breach, the information that is at risk and the steps it plans to take to mitigate the harm that could arise from the beach. Further, the entity must provide a copy of this statement to the OAIC and take reasonable steps to notify all individuals that are affected or at risk.
The NDB scheme provides that any breaches that are likely to cause serious harm to an individual must be reported. Serious harm refers to:
– Identity theft
– Financial loss
– Threat of physical safety or emotional wellbeing
– Loss of business or employment opportunities
– Humiliation or damage to reputation
Examples of eligible data breaches include:
– Personal information being accidentally given to the wrong person;
– A device containing customers’ personal information being stolen or lost;
– A system containing personal information being hacked.
Which businesses need to be compliant?
The NDB scheme applies to various companies, businesses, agencies and organisations. These include*:
– Australian government agencies
– Businesses and not-for-profit organisations with a turnover of $3 million or more
– Credit reporting organisations
– Health service providers
– TFN recipients, e.g. employers
– Entities that trade in personal information
*This list is not exhaustive.
It should also be noted that many small businesses with less that $3 million turnover may not realise they are also subject to the reporting obligations. To be safe, small businesses should take relevant steps to ensure they will be familiar with the NDB scheme and whether it applies to them.
What this means for businesses
The new laws impose further obligations for businesses and their duties to customers, employees and other key stakeholders. Predominantly, entities will now have to:
– Review how they organise and store their information
– Review any data protection measures currently in place, and subsequently incorporate suitable data protection measures
– Minimise the risk of data breaches.
What is most important is the fact that a failure to notify of any ‘eligible data breach’ is considered an interference with the privacy of an individual under this scheme. This could result in significant civil penalties, including up to $360,000 for individuals or $1.8 million for organisations.
As a result, all businesses will need to review all relevant procedures that are currently in place.
In order to be compliant with these new laws, businesses should consider seeking legal advice to ensure they are not at risk of these substantial penalties.
If you have any questions relating to these issues, please contact a member of our Business Law team.