Cyber-attacks are real as illustrated last year when 1 in 10 Australian UBER customers personal information was stolen by hackers. What you may not know is Uber kept this security breach a secret for a year and consequently the chief security officer was terminated. But data breaches aren’t restricted to hacking of the company computer. Do you take USBs home that contain private information of clients or employees? What if this USB fell out of your pocket on the train? You’ve got yourself a data breach right there.
From February 2018, businesses and not for profit organisations with an annual turnover of $3 million or more, all credit reporting bodies and health service providers amongst others must comply with new mandatory data breach legislation under the Notifiable Data Breaches (NDB) scheme! All of these businesses should have an action plan in place that can be activated when needed.
WHICH DATA BREACHES REQUIRE NOTIFICATION
An ‘eligible data breach’ under the scheme is unauthorised access or loss of personal information that is likely to cause serious harm to the individual involved.
If your company falls victim to an eligible data breach, it must be reported. Non-compliance can result in fines of up to $420,000 for individuals and small business and $2.1 million for corporations can be imposed. These are significant fines underlining the importance of ensuring you are compliant with the new ratification within privacy laws.
The legislation requires that in the event of a data breach, you conduct an assessment, notify the affected individuals providing them with a statement outlining what has occurred and submit a form to theOAIC (Office of Australian Information Commission.
WHAT SHOULD YOU DO NOW?
Conduct an audit on your business and create an Action Plan that includes the following processes and how they will be managed: .
- Communication to affected parties and other relevant internal and external stakeholders
- Investigation – who will undertake this, how and when
- Prevention - what can be implemented to manage this risk in future
- Brand Management & PR – all social media and promotion activities should potentially be stopped until the current issue is resolved
- Become cyber savvy! Change passwords regularly, install anti-virus, train staff about security and privacy and back up, back up, back up! Hourly back-ups are imperative as you cannot plan for attacks so you need to ensure your ICT provider has this enabled for you.
- Insure for cyber attacks as insurance will protect you from loss of business: pay a ransom to get you up and running again, investigation expenses, pay rewards, legal costs and public relations communication.
- Establish strategies to handle and protect personal information that is both online and offline.
- Plan who is responsible for all communications and investigations after a data breach. Get out on the front foot so you don’t panic if this ever becomes a reality in your business
If you are need help establishing your strategy or Action Plan for a Notifiable Data Breach, we can help. Email or phone us on 9590 0844 and we can help set up best practice for you.