Australia’s Data Breach Notification Laws Part 1: What It Means and Why It Matters

It's official: the February 22, 2018 deadline has come and gone and Australia's new data breach notification laws are now in full effect. If you still feel unsure about what these new laws entail, or if you were only scarcely aware that they existed in the first place, don't worry — it’s not too late to be informed.

According to a survey that was recently conducted by Midwinter's cybersecurity subsidiary Kamino, only about 32% of respondents were actually aware of the February introduction of the mandatory data breach reporting regulations in the first place.

At the same time, another 45% of respondents said that they had previously suffered some type of cybersecurity incident — this is particularly concerning given the fact that the new data breach notification laws govern exactly those types of situations.

Why the Notifiable Data Breach, Why Now?

The answer to these questions is fairly clear — the Office of the Australian Information Commissioner was reported to have received 31 new notifications in the first three weeks of the new data breach scheme alone. This means that these new laws are absolutely going to affect you, your employees, your customers, and your very business whether you were ready for them or not.

In truth, Australia's new data breach notification laws are fairly straightforward, all things considered. You just have to keep a few key things in mind.

The New Data Breach Notification Laws: What They Mean

Australia's new data breach notification laws, also commonly referred to as the Notifiable Data Breach Scheme, were designed in part to help manage cybersecurity accountability across the country.

Essentially, what they mean is that if your company:

1. Has an annual turnover that is higher than $3 million
2. Handles the personal information of customers such as bank account information, credit card information, medical records and more, you must now

Notify the Office of the Australian Information Commissioner in the event that any eligible data breach takes place.

Not only that, but you also must inform everyone who may have their personal data exposed, so that they can take the appropriate steps for protection moving forward.

What is Considered a Breach?

Not every data breach necessarily falls under the NDB Scheme. According to one official from the Office of the Australian Information Commissioner, the laws “only apply to breaches involving personal information that are likely to result in any serious harm to any individual effected.”

Here are some example situations worth noting:

• An instance where someone's health or other sensitive information has been stolen
• Information that can be used for identity fraud is stolen, like driver's license or passport details
• Financial information is compromised in some way 
• Any combination of these things

There are a few exceptions where notification may not be required for eligible breaches, but they are few and far between.

Why the New Laws Matter to Your Business

Simply put, the NBD Scheme matters a great deal to your business because you are statistically very likely to become the victim of a data breach at some point in the future — if you haven't been already. Cyber crime in general is actually a massive problem, particularly in Australia, and steps need to be taken to help mitigate risk on behalf of all parties involved in these situations. 

The Australian government even recently estimated that cybersecurity incidents cost the country's economy a collective $1 billion every year — a number that is only going to climb over the next decade if steps aren't taken to mitigate the damage as much as possible. This is precisely the reason why the laws were designed. 

What Are the Consequences of Not Adhering?

Another reason why the new data breach laws matter has to do with what happens if your business fails to maintain compliance in the long-term. If you thought that only the immediate costs of a data breach were all you had to worry about, you may want to think again.

In addition to the massive risk of reputational damage, companies who get hit with a data breach who do not take the appropriate notification steps are subject to fines of up to $1.8 million per incident. Likewise, company leaders and all key stakeholders are themselves subject to fines of up to $360,000.

So doing everything you can to learn about the data breach notification laws and make sure that you've taken all the appropriate steps to ensure compliance is vital. 

The Powernet Approach to Protection

Helping you understand why Australia's new data breach notification laws are important is one thing — helping prepare and protect the organisation you've worked hard to build is something else entirely. This is why we encourage you to check out part two in this four part series of articles, which discusses 8 ways you can protect your 

business: Australia’s Data Breach Notification Laws Part 2: How to Protect Your Business.

As always, if you have any additional questions you'd like to see answered or concerns you'd like to see addressed, please don't delay — contact Powernet today.