Personal information is an important asset to any organisation and must be protected. When it comes to data breaches, it’s essential that your business or organisation has a privacy framework in place. Should a breach occur, ensuring this framework includes a response plan is vital. You’ll need to secure the threat and notify anyone who may be harmed by the information taken. The consequences of a data breach under the Notifiable Data Breaches (NDB) scheme could cost you millions.
What is NDB?
The NDB legislation, which comes into effect on 22nd February 2018, is an addition to the Privacy Act 1988 and aims to increase the level of responsibility an organisation has with securing personal information of staff, stakeholders, and customers. Businesses and organisations need to maximise their data security. Under the new laws, a business has a legal obligation to notify an individual when information regarding them is breached. Data breaches that can cause serious harm to individuals must also be reported to the Office of the Information Commissioner (OAIC).
What are the penalties?
Failure to uphold the obligations of the NDB will result in heavy consequences. If there’s an eligible data breach and no notifications are sent, the penalty can reach $1.7 million for organisations and $340,000 for individuals. In addition to this, it’s difficult to quantify the cost of loss of trust for your business or organisation and the impact on your brand. The Commissioner also has the power to make organisations pay compensation for damages and issue a public apology.
Who does the NDB apply to?
The NDB scheme applies to any agency, organisation or entity that is covered by the Privacy Act 1988 (Cth). Businesses, organisations and entities (with a $3 million or higher turnover per annum in any financial year since 2001) are also covered. Any business that is included in the following categories are also captured under the scheme, regardless of their turnover:
These entities include:
- Health service providers
- Credit reporting bodies
- Entities related to an APP entity
- Entities that trade in personal information
- Employee associations registered under the Fair Work (Registered Organisations) ACT 2009
- Entities that ‘opt-in” to APP coverage under the Privacy Act.
Regardless of what personal information you store, the risk of a data breach is increasing. That’s why it’s essential to maintain a strong defence against cybercrime and have steps in place to safely store and destroy information.
How to protect your business
The best way to protect your business from the consequences of a data breach is to protect information from the very beginning. Here are a few tips to prevent a data breach:
- Store only essential and relevant personal information
- Make sure the process of data collection & storage is secure
- Keep your staff educated on dealing with suspicious emails
- Keep information on a trusted platform and have cyber defence systems in place
- Implement procedures to monitor the storage and destruction of information
- Outsource your information destruction needs to a certified destruction provider such as Shred-X.
What to do if a data breach occurs
Time is critical with any sort of data breach, and the actions you take will determine the success of your recovery. Below are 3 steps to follow when your data is breached.
- Respond: Secure the information and contain the breach
- Assess: Determine if the breach is ‘eligible’
- Notify: Inform all relevant individuals and the Commissioner
Not responding accordingly to a data breach is an expensive and detrimental decision. Securing information online is an ongoing pursuit, however, physical data breaches are easier to contain. The Shred-X e-waste and data destruction solution guarantees the secure destruction of digital media, hard drives, mobile phones and any other IT or data asset.
Shred-X partner with various trusted companies to ensure you establish and maintain an effective privacy program and once the information is no longer required Shred-X will ensure certified secure destruction takes place.
To better understand how these new laws will affect your business, contact Shred-X today.
Further information can also be found at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.