New Australian privacy laws came into force on February 22. Experts warn you may be left scrambling if your SME hasn’t locked down personal information and developed a response plan to deal with privacy breaches.
Changes to the Privacy Act mean Australian businesses with annual turnover in excess of $3 million will be required to notify their customers and the Office of the Australian Information Commissioner within 30 days should they suspect or experience a serious data breach.
But what does a serious breach entail – and where should you start, if you think you’ve had one?
Essentially, it’s any situation where personal information – think customer names, email addresses, phone numbers or more sensitive information such as health details – is compromised, Macpherson Kelley Lawyers IT principal Malcolm McBratney explains.
It doesn’t take much to fall within that definition, McBratney points out.
“Someone’s provided information about an individual to the wrong person…it’s not a very high bar”
“Your system is attacked and you suffer a phishing attack, or someone loses their mobile phone and it’s not password protected, or someone’s provided information about an individual to the wrong person…it’s not a very high bar,” he says.
Apart from unauthorised access to or disclosure of personal information, serious harm has to be likely to one or more individuals (after any remedial action).
If a breach does occur, you’ll need to react appropriately and quickly, or risk being fined yourself by the Office of the Australian Information Commissioner; a statutory body which has the ability to impose stiff financial penalties – up to $1.8 million for serious or serial offenders.
Even if your SME is too small to be impacted by the new privacy rules, this is still a worthwhile exercise. A serious data breach can impact your customers and dent your business reputation; mitigating the damage is easier if you are prepared and can respond quickly.
“There’s no need to make it War and Peace,” McBratney says.
“What’s needed is a simple document outlining how you’ll determine whether a breach has taken place, who’ll be responsible for doing so, the steps you’ll take to remedy the breach, based on the nature of the incident, and how you’ll go about issuing a statement to customers and the Commissioner.”
It’s a good time to review your contracts with suppliers, if you outsource any computing or communications functions.
“Contracts should state that if the supplier experiences a data breach, they’ll inform you immediately and take steps to fix it in a timely m