8th June, 2017

New Mandatory Breach Notification Laws Carry $1.8 Million Penalties

After three years of uncertainty Australia will have a mandatory breach notification scheme which will come into effect on 22 February 2018. The aim of the new laws are to better protect client data in our increasingly online world. Businesses (over $3 million turnover) and ALL healthcare organisations have a year to make sure their policies are updated to comply with the new requirements. Penalties for failure to comply with the legislation are significant with possible fines for businesses of up to $1.8 million.

What is a data breach?

A data breach occurs when there is un-authorised access to personal information or it is mistakenly disclosed to people without authority to receive that information. If the disclosure is likely to result in serious physical, psychological, emotional, economic or financial harm then mandatory notification is required.

Some possible examples of data breaches that could require breach notification are:

  • Loss or stolen laptops or mobile phones
  • Hard disk drives or mobile storage devices not being disposed of correctly
  • Hackers accessing databases containing personal information
  • Employees accessing or disclosing information outside their authority
  • Mistakenly providing personal information to the wrong person

What are the requirements if you experience a data breach?

  1. Complete an assessment as soon as possible to determine if a data breach has occurred. This must be completed in 30 days and follow the minimum requirements as stipulated in the law
  2. Notify OAIC (Office of the Australian Information Commissioner) of the breach – www.oaic.gov.au
  3. Notify all affected people, which should be individually if reasonable to do so, otherwise as a group. It

may also be required to notify individuals who are at risk of being affected

…but, what do I need to do now?

  • Review any agreements with third parties that require you to disclose personal information and ensure they are required to notify you of any suspected data breach
  • Create or update your procedures for reviewing any suspected data breach
  • Review your IT security to avoid breaches arising
  • Consider Cyber Protection Insurance – (link to article)
  • Ensure employee training regarding disclosure of information to authorised parties is up-to-date and refresh if needed

Protecting your client data makes sense in an online world where cyber-attacks are constantly increasing and becoming more sophisticated. These new laws will encourage those who haven’t already to put in place superior protection of personal information.

Author: Murray Bruce