3 Secrets Every CEO Needs To Know: About The New Australian Privacy Data Breach Laws.

We have all heard of the new privacy data breach laws taking effect in February, 2018.  What does this mean?

As of February 2018, new legislation will come into effect in Australia. The legislation will require entities to notify individuals, and the Office of the Australian Information Commissioner (“OAIC”), of data breaches.

Organisations in Australia will now need to be more conscious than ever of the personal information they are handling, as the long-awaited Notifiable Data Breaches scheme (“NDB Scheme”) comes into effect.

Data Breaches Will Arise In Two Ways – Based On The NDB Scheme

  1. When there has been unauthorised access to, or disclosure of, personal information;
  2. When circumstances arise, which are likely to give rise to unauthorised access or unauthorised disclosure to personal data.

What Every CEO In Australia Needs To Know About The New Cyber Security Breach Laws

  1. Organisations will be required to notify individuals of data breaches “as soon as practicable” after a breach has occurred.
  2. The Amendment Act, which establishes the NDB Scheme, will commence on 22 February 2018 and will only apply to eligible data breaches that occur on, or after, that date.

What Happens If I Ignore The Laws?

  • Depending On The Situation – Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties. This could result in the organisation being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $210 per penalty unit, or $420,000…

How To Securely Destroy Personal Data

A document destruction policy should be developed and staff informed about the policy and any procedures. The policy should deal with the destruction of hard copy records and electronic records. For example, if hard copy records are to be destroyed, how will the destruction be carried out, for example, by burning, shredding, pulping etc?

If electronic records are to be destroyed, how will this be done? If the data is stored by a third party, how will that third party be instructed to destroy the data and more importantly, how will they verify that it has, indeed, been destroyed. Has data on backups been destroyed?

I’ve Been Breached, Now What?

An Entity will be required to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred.

Here Are 3 Mitigation Accelerators For CEOs:

  1. Prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC; and
  2. Take steps to notify the affected individuals. The steps required will depend upon the circumstances, but will usually include sending the statement to the individual via usual means of communication (this is, what is usual between the Entity and the individual).
  3. If the Entity has reasonable grounds to suspect an eligible data breach has occurred, then the Entity is not obliged to provide notification, however, the Entity will be required to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days.

As businesses grow, sometimes the people employed or even the organisation in the earlier stages don’t grow with it.  From time to time, reputations are lost and overall cyber security control is neglected.

CIO Cyber Security is specifically tailored to the different stages of business, we have a program that will suit you and help you get your business cyber safe!

If you want to learn from the best in business, we invite you to pre-register for Inside The Mind Of A Hacker Breakfast now… those who do get the chance to secure limited 2-for-1 tickets (for just $47), and also go into the draw to win a Platinum VIP experience for themselves and a friend.

If you are interested then please feel free to pre-register here.

Author BIO

Dr Allison Stanfield is an expert in cyber security law, including Technology law, software development, license and IP agreements. Advising corporate organisations on cyber security legality and structure her passion and background is electronic discovery.  Allison has a PhD in Electronic Evidence and speaks at seminars and conferences around the world. 

Meet Andrew Constantine

Andrew Constantine is an entrepreneur and a cyber security advisor who is changing the world of cyber security. He is the CEO of Australia’s largest community of technology and business executives.