Mandatory Data Breach legislation: Do you have a Data Breach Response Plan?
On February 22nd , 2018, Australia’s new Mandatory Data Breach Notification Laws come into effect, mandating a legal requirement to disclose information on any serious data breach, both to the affected individuals as well as to the Privacy Commissioner. The current penalties for non-compliance under this regulation range from $360K for an individual to $1.8M for a corporation, but it has been proposed to raise these amounts to $420K and $2.1M respectively, effective July 1, 2017.
Who Does the Data Breach Law Apply To?
Businesses that must comply include any organisations that are governed by the Privacy Act, including:
- Government agencies
- Not-for- profits with an annual revenue of more than $3M
- Businesses with an annual revenue of more than $3M
And additionally, it applies to specific types of businesses with a turnover of less than $3M, which include:
- Private sector healthcare and related businesses (including weight loss clinics, fitness centres, chiropractors and other alternative medical practices)
- Private schools and private education institutions
- Private schools and private education institutions
- Child care centres
- Credit reporting agencies
- Any business that buys or sells personal information
Individuals who handle personal information in their course of doing business (including insurance brokers, bankers, accountants, attorneys, health insurance providers)
How Will This Change the Way I Do Business?
If you run a business, you need to be aware of your obligations under this new law. One part of this obligation could be to have a response plan. Failing to disclose a breach can leave individuals and businesses subject to significant fines for non-compliance. So what should a plan look like?
What type of information is included in a Data Breach Response Plan?
While every plan needs to be tailored to the individual business needs, some common things to consider in your plan might include:
- How to determine a suspected breach?
- What should the staff member who detected the breach do?
- What should the Company Directors do?
- How do you contain the breach?
- How do you determine the risks associated with the breach?
- Who needs to be notified?
- How do you prevent further breaches?
The legislation does vary across industries, so it is also worth checking with your relevant industry association as to what you may need to do. If you are in the Financial or Medical industries, you may also have additional obligations.
From an IT perspective, we believe that prevention is also imperative to reduce your risk.
There are a number of strategies and technologies that Atlas IT has put in place that can significantly reduce the likelihood of your systems being compromised. Some of the technologies we already deploy for our clients include:
- Penetration tests – when was the last time a ‘white hat’ hacker tried to breach your network?
- Phishing campaigns – We have software to send fake malicious emails and provide video training to anyone who gets tricked into downloading our fake malware.
- 2-factor authentication – to increase password security by requiring a second form of authentication, such as a mobile device.
- Mobile device management – So we can remotely wipe your phone or laptop if it gets lost or stolen.
- Single Sign on – a system to sign onto every cloud platform with a single login, meaning that your users never need to know more than one password.
There is no silver bullet, the threat landscape is constantly changing, and the rise of crypto-currencies and ransomware is only adding fuel to the fire. However if you combine all of the five items above, the your systems will be harder to compromise and an It team may be able to mitigate any damage quickly, thus protecting your business.
If you would like help in formulating a Data Breach Response Plan, or improve the security of your systems in response to this new law, please talk to your Atlas IT account manager or contact our sales team for further assistance.