By Sonia Hickey and Ugur Nedim
New laws came into effect on Friday making it mandatory for Australian businesses with a turnover of more than $3 million per year to inform customers of any “data breach” that puts them at risk of “serious harm”.
Under the new laws, which amend the Privacy Act 1988, data breaches include any unauthorised access to, disclosure or loss of customer information, encompassing all personal information, credit reporting information and tax file information.
Serious harm is broadly defined as including physical, psychological, emotional, reputational, economic and financial harm.
Assessing and reporting
Under the new Data Protection Regulations, businesses with a mere “suspicion” of a breach must take all reasonable steps to ensure that a full investigation of that suspected breach is completed within 30 days.
If a breach has indeed occurred, it must be reported to the Office of the Australian Information Commissioner and customers must be notified in writing.
The customer notification must include specific information about the compromise, as well as clear instructions for responding such as the need to change passwords, cancel credit cards and/or review their personal information.
Those don’t comply with the new laws will be liable for hefty fines – up to $360,000 for individuals and $1.8million for businesses for serious or repeat infringements.
The laws are said to bring Australia into line with corporate data security policies and procedures around the globe.
Burden on businesses
Small business groups have expressed concerns that the breadth of the laws could place a heavy burden on already struggling businesses – with many potentially erring on the side of caution by conducting endless assessments, which would be costly and time consuming, and sending out numerous notifications for even the smallest of potential breaches.
This, it is feared, will place an unnecessarily onerous or even crippling burden on businesses which are already drowning in compliance requirements from organisations such as the ATO, OSR and industry specific regulatory bodies.
Others feel the new laws are nevertheless necessary as they are likely to trigger businesses into taking measures to protect customer data.
Recent studies suggest that only 57 per cent of small and medium sized businesses have not undertaken an IT security risk in the last 12 months, putting their devices, data and documents at risk.
It is hoped the new requirements will improve these figures.
Exemptions are unlikely
While small business groups are lobbying for exemptions, legal experts say it’s unlikely these will be granted because the laws form part of Australia’s agreement with its EU trading partners.
So businesses will need to comply with the laws or suffer the consequences.
Cost of identity theft
Figures from 2016 suggest that identity theft costs the Australian economy $2.2 billion every year – a figure that is constantly rising. And this doesn’t factor in the emotional, and social costs of having your identity stolen and used by others.
The government says the new laws are vital for protecting our privacy and strengthening our rights to check and review the information that businesses hold, and for encouraging businesses to keep our personal information safe.