In February 2018 the Australian Government enacted the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Under the new law, any government agency, organisation or business with an annual turnover of $3 million or more in Australia that is covered by the Australian Privacy Act (1998) is obliged to notify individuals whose personal information is involved in a data breach, as soon as practicable after becoming aware of a breach.
Under the Act, a notifiable data breach is a data breach that is likely to result in serious harm to any of the affected individuals. The Act defines a data breach as occurring when any personal information held by an organisation is lost or subject to unauthorised access or disclosure. The notice must also include recommendations about the steps affected individuals need to take in response to a data breach.
According to the Office of the Australian Information Commissioner (OAIC), an eligible data breach arises when:
• A device containing a customer’s personal information is lost or stolen
• A database containing personal information is hacked
• Personal information is mistakenly provided to the wrong person
There is a huge misconception that hackers are the number one cause of data breaches. This is mainly because we are often exposed to media reports about large hacking cases, such as the Sony hack in 2014 where hackers stole huge swaths of confidential documents – including those belonging to Hollywood celebrities – before leaking them online. The actual leading cause of data breaches — and often the most detrimental because it can disrupt business continuity — has been identified as unintentional human error.
Information security firm Shred-It’s survey of more than 1,100 businesses in Australia admitted that human error is a larger threat to information security than deliberate theft or sabotage by a third party. Datto has released its Notifiable Data Breaches Whitepaper which discusses the NDB requirements in more detail.
If your business is concerned about the privacy and security of it and its customers data then contact us to discuss your requirements.