Data breach reportingMandatory data breach reporting now in effect
As of 21 February 2018, businesses are now required to formally report a breach of their digital systems and files – with penalties of as much as $1.8 million for failing to do so.
The Notifiable Data Breaches (NDB) Scheme was announced by the federal government last year, as a means of trying to secure personal information, and to track where and how that data is illegally accessed so that these back entrances can be closed.
However the exact requirements, and process for complying with these new rules, have been unclear, leading the Office of the Australian Information Commissioner (OAIC) to issue a written guide on managing data breaches.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts,” claimed Commissioner Timothy Pilgrim.
“The scheme also has a broader beneficial impact — it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors.”
While potentially adding an extra impost for online businesses and users of cloud services, Mr Pilgrim added that the scheme “supports greater consumer and community trust in data management”, which will also benefit SMEs when choosing which digital service suppliers to engage.
The risks of a cyber breach are all too real. US firm Tesla is reportedly the latest high-profile victim of a hack, while Microsoft Office 365 and Google Drive were both recently found unable to detect a new strain of ransomware.
Last month, Australian Small Business and Family Enterprise Ombudsman (ASBFEO) Kate Carnell warned that around half of business owners are unaware of the new rules.
“If an unauthorised entity accesses anyone’s personal information from a business computer system, where it is likely to result in serious harm to that individual, that data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individual affected,” she said.
“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read … a new study reporting 44 per cent of Australian businesses are not fully prepared.”