Australia wants businesses to be more accountable when it comes to data security.
The government enacted the Notifiable Data Breach policy which requires all businesses to inform the Office of the Australian Information Commissioner of any potential breaches in data that may affect any of their customers, subscribers, or clients.
Consequently, businesses affected by data breaches shall be mandated to notify individuals whose information may have been compromised within a period not exceeding 30 days. During the period, the business should likewise launch an investigation regarding the suspected breach in data.
Businesses who do not comply with the Notifiable Data Breach initiative will be levied a heavy fine.
The penalties could range from $360,000 for individuals and up to $1.8 Million for companies.
The policy will cover businesses that fall under the Privacy Act. Specifically, this pertains to businesses that generate a turnover exceeding $3 Million.
The Notifiable Data Breach policy puts businesses on notice that these incidents should be treated as a priority.
Other than risks to the privacy and financial well-being of their customers and service end-users, data breaches can severely damage business reputation.
Data Security Laws: The Growing Threat Of Data Hacking
2017 was a banner year for cyber- criminals.
According to Online Trust Alliance (OTA), 2017 was the worst year in data breaches and cyber- criminality the world over. OTA reported that in 2017, the total number of cyber- attacks doubled with ransomware as the number one problem.
OTA’s report entitled “Cyber Incident & Breach Trends Report”, the aggressive use of ransomware by cyber- criminals led to an estimated 160,000 attacks. That number was double the number of ransomware attacks in 2016 which was pegged at 82,000.
More troubling was the OTA’s claim that the number of ransomware attacks could have been higher as it believes most breaches were not reported by businesses.
If the breaches were reported, OTA estimates the number of ransomware attacks would total 350,000.
Last October 2017, it was reported in the media that Australia’s own defence programs were stolen by hackers.
An estimated 30GB of data was stolen when cyber- criminals hacked through the database of a government contractor. Among the information stolen were confidential details on new fighter planes and navy vessels.
Results of the investigation showed that the breach actually started as early as July 2017. However, the contractor failed to inform the Australian Signals Directorate until November.
For years, Australia has lagged behind other countries in providing data security and protection for businesses and its citizens. That has changed with the government’s announcement that it will increase spending for data security programs by $50 Million over the next seven years.
Australia plans to create its own cyber security research centre.
Data Security Laws That Apply To All Businesses
In 2012, Privacy Act 1988 was amended with the implementation of The Privacy Amendment Act 2012 or the Enhancing Privacy Protection Act.
It should be noted that the Privacy Act 1988 was enacted to regulate the way businesses managed the private information of individuals.
The Privacy Act 1988 was covered by 13 Australian Privacy Principles or APPs. These principles were used as a guide for the collection, usage, storage, and disclosure of personal information. It was also used as a reference for businesses to access, update, and revise individual information.
The Privacy Amendment Act 2012 was deemed necessary by the Australian government because it felt that businesses continued to face problems with data privacy breaches.
The revised law will be applied to all Australian companies and foreign entities that are conducting business on Australian soil.
A key feature of the amendment is the extension of new powers to the Office of the Australian Information Commissioner (OAIC).
The Commissioner has the authority to monitor how businesses are complying with the provisions of the law. Likewise, the Commissioner can require companies to invest in upgraded or the latest IT systems as well as improve training of personnel.
The Commissioner can also instruct businesses to prioritize privacy complaints and ensure that these are all attended to in an effective and timely manner.
The law will cover all businesses operating in Australia that store data on their customers. Cloud- based and communications service providers are not exempted.
Further, all businesses have to be very clear and inform the government if the data is managed outside the jurisdiction of Australia and if suppliers, contractors, involved in the process are located outside Australia. Regardless of the logistics, entities that are involved in data storage are strictly required to adhere to the provisions of legislation.
As we mentioned earlier, the Commissioner is also given the authority to levy steep penalties to companies that fail to report data breaches which could compromise the privacy and security of individuals.
Exhibit A for this new power of the Commissioner is Australian telecommunications company, Telstra. The telco giant was instructed to pay a penalty of $10,200 after data breaches was found to have jeopardized the information of an estimated 15,775 customers.
Personal information included names, phone numbers, home, and business addresses.
The Commissioner handed down the penalty because Telstra did not comply with the security guidelines it was supposed to have instituted after an earlier breach in 2011 affected an estimated 700,000 subscribers.
Now with the Notifiable Data Breach policy in place and higher penalties as consequences, businesses will have to ensure they are fully equipped with effective techniques in mitigating risks involving cyber-related crimes.
While it is not realistic for businesses to have perfect data protection protocols and systems in place, having an effective process ensures counter- measures are ready in the event a breach does happen.
It is not enough for the government alone to have an extra initiative to protecting businesses and the citizenry. Businesses should be accountable for the safety, protection, and integrity of their customers’ personal information.
Companies should take a more proactive mindset toward protecting their business and upgrading IT infrastructure.
Companies have to understand that cyber- threats are growing every day. Hackers and other types of cyber- criminals are stepping up their game to steal valuable information.
Cyber- attacks will always be in a constant state of evolution. Therefore, businesses must do their share to keep up with the latest developments in anti- malware and anti- ransomware technology.
Here’s a statistic that effectively highlights the importance of having dependable data security measures. It should also increase awareness for small business owners in Australia:
60% of small businesses in Australia that experience cyber breach close down within six months after the incident.
The statistic was provided by the Australian Small Business and Family Enterprise Ombudsman.
However, a report made by Telstra in its Cyber Security Report of 2017, found that 33% of small businesses that have fewer than 100 employees do not take cyber- crime seriously enough to incorporate data protection and security measures.
The statistic is bothersome considering that 84% of small and medium scale businesses in Australia operate online.
The bottom line is all types of businesses; whether small, medium, or large scale enterprises that operate in Australia, should prioritize data protection and security systems.
The consequences of a data breach are far- reaching. Not only will it compromise the security of individuals, the financial stability of the company, but also the economy of the nation.