Between 2015 and 2016, more than one hundred data breach notifications were submitted to the Office of the Australian Information Commissioner, with many more believed to have gone unreported. For this reason, it is no wonder the government has decided to introduce stricter guidelines in relation to how businesses handle private and sensitive information. In a time where information security encompasses everything from paper archives to hard drives and online databases, the government is now pushing to ensure companies are held accountable for the data they collect through the introduction of the Mandatory Breach Notification.
So what is the MBN?
The Mandatory Breach Notification is a bill that was passed through the Senate in February of this year and will come into effect for Australian businesses as of February 22nd 2018. This new legislation calls for any business or organisation covered by the Privacy Act to advise individuals who have been affected by a data breach that has the potential to cause ‘serious harm’ within 30 days of the event. From the time the bill is actioned, any breaches will also need to be reported to the Office of the Australian Information Commissioner to determine whether further action should be taken.
What does it mean for Australian business?
In essence, the MBN was designed to encourage organisations to take more care with personal data. Concurrent with the bill, entities are urged to start refining security measures and processes in an attempt to avoid data breaches and to facilitate appropriate action if they do occur. Companies will be required to notify those whose information has been compromised, a move which has the potential to severely damage business reputation and credibility. Although the bill has the potential to cause problems for those found to be in breach, it also has the capacity to help facilitate transparency in the way you conduct business and strengthen or rebuild public trust. If you’re an Australian business that is likely to be impacted by the MBN, give Shred-X a call and we can give you the rundown of everything you need to know.
Who is affected?
At present, businesses and other organisations are not obliged to report breaches of personal or private information. This means that individuals can never really be sure of their personal information safety. As of February next year, however, any Australian company with turnover exceeding $3 million per year will be required to adhere to the stringent guidelines of the MBN. Although State government organisations, local organisations and other businesses with a turnover that falls short of $3 million are exempt from the bill, the government is urging everyone to revise their security processes and strengthen preventative measures. When reviewing data security, it can be hard to know where to start and even harder to know when you’ve got it right. However, with the help of a reputable destruction provider like Shred-X, you can be confident that both your data and reputation are safeguarded.
What are the penalties?
Non-compliance with the MBN can have a range of consequences to businesses found to be in breach, which is why it’s important to start making changes well ahead of its introduction. The Australian Privacy and Information Commissioner has the authority to begin an investigation into a company at any time, regardless of whether a complaint has been received. If found in breach, the Commissioner will generally give the company the opportunity to notify the individual voluntarily. If, however, they do not believe notification to be necessary, the entity can then submit their case for review. The Commissioner will assess all information presented before making a final judgment and either direct the entity to notify the individual or not. In serious cases, the Commissioner also has the power to:
- Require compensation be payed for damages or other remedies such as deliverance of a formal apology (enforceable by the Federal Court or Federal Magistrates Court)
- Accept an enforceable undertakings
- Seek civil penalties of up to $340,000 for individuals and $1.7 million for companies
- Seek an injunction regarding conduct that violates the Privacy Act
- Publicise information regarding the data management practices of an agency found to be in breach
How can a data breach occur?
Data and security breaches can occur in a number of ways, which is why it is so important to have proper processes in place that can help to avoid such issues. Some of the ways a company may experience a data breach include:
- Lost or stolen digital devices or hard copy records
- Poorly discarded hard copy records (which can be recovered from insecure bins)
- Discarded digital devices that haven’t been appropriately cleared/destroyed
- Illegally accessed databases that include private information
- Employees accessing or disclosing private information that it’s above their clearance/authorisation
- Organisations providing information to the wrong person (whether accidental or not)
- An individual receiving information from an organisation by way of deceit or fraud
If any of these sound familiar to you, your data may be at risk! Proactive action is always better than reactive, so you might want to start considering some storage and destruction alternatives. With a wide range of secure services on offer, Shred-X can help you every step of the way to ensure private data remains private.
Tips to prevent a data breach:
- Limit employee access to private and sensitive data
- Supply company devices/emails to ensure private data isn’t contained on personal ones
- Utilise the Cloud’s superior security
- Put procedures in place to monitor storage and destruction of information
- Outsource your information destruction needs to a reputable destruction provider such as Shred-X
Don’t wait until it’s too late! For more information about preventing data breaches or to discuss a better destruction alternative, contact Shred-X Secure Destruction today.