Security | April 12, 2017
Legislation Update – Mandatory Security Breach Reporting
Last week the lower house passed mandatory data breach notification laws through the House of Representatives.
Organisations will have to reveal if their systems and or data has been compromised by cyber attack or technical failure.
This a crucial step forward in the elevation of data protection and cyber security issues for all businesses.
If an organisation is subject to the Privacy Act incurs an “eligible data breach”, it will have to alert the Australian Information Commissioner and the people whose data has been compromised.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in “serious harm to any of the individuals to whom the information relates”.
Companies that are affected by the legislation include businesses with over $3 million in turnover, smaller firms that handle sensitive information and most government agencies.
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies
Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also covered under the new data breach notification scheme.
This new law is set to come into effect within 12 months.
It is important that we all recognise that cyber security is a collective responsibility, relevant at all levels of business.
Be proactive and get protected.