Data Breach Notification Laws: What you should know & your Customers shouldn't ignore
On 22nd February 2018, the Federal Governments mandatory Data Breach Notification Law comes into effect. This legal obligation will potentially have an impact across any business, and their "service providers" that handles personal information or has responsibilities under the Privacy Act. All eligible businesses must comply with their reporting obligations or run the risk of facing penalties of up to $1.8 million for non-compliance of the mandatory Data Breach Notification Law. This Law doesn't just target "Big Business". SMB's must also make sure they are prepared as part of their cyber security strategy.
An opportunity for Reseller's:
- This is a real and compelling reason to reignite or start a conversation with your Customers about their cyber strategy.
Where are the "holes" and how can your business help to solve them?
- An opportunity to review their security solution to ensure they have a robust, flexible security solution that will enable them to meet reporting obligations.
Can their security solution give them and their stakeholders "peace of mind" and reporting capabilities, if faced with a data breach notification requirement?
- Ensure your reporting responsibilities and compliance are clearly agreed and articulated as "contracted service providers" may also be responsible in responding to an eligible data breach.
Data Breach Notification Law at a glance:
- Commences 22nd February 2018
- Applies to all organisation with responsibilities under the Privacy Act including:
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies
- Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records
- A data breach is classified as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure".
- An organisation will be exempt from notification if it takes such remedial action in response to an eligible data breach (or potential eligible data breach) that a reasonable person would conclude that:
- the remedial action has prevented a loss of information leading to an unauthorised access or disclosure; or
- the unauthorised access, unauthorised disclosure or loss of information is not likely to result in serious harm to the affected individuals.
*This page is for information only. For a full understanding of all legal obligations of businesses and their contracted service providers, please click on the link above and discuss with a legal professional.