Since the new Notifiable Data Breach came into effect on February 22, 2018, the Office of the Australian Information Commissioner (OAIC) has received over 31 notifications of eligible breaches. That's 30 notifications in 30 days.
Under the new scheme, agencies and organisations in Australia must notify individuals whose personal information has been compromised by a data breach where this breach is likely to cause serious harm. The individual and OAIC must be notified soon as possible after an organisation or agency becomes aware of the breach, and notifications must include:
- Information relating to the identity and contact details of the organisation
- A description of the breach and the information concerned
- Recommendations about the steps an individual can take to respond to the breach.
The Notifiable Data Breach Scheme applies to organisations, and their company directors, that the Privacy Act requires securing certain categories of personal information. This includes Australian Government agencies, businesses, and not-for-profit organisations whose annual turnover is $3million or more, credit reporting bodies, health service providers, and TFN recipients. Eligible data breaches refer to breaches that involve unauthorised access, loss, or disclosure of personal information that may cause harm to the individual whose information has been compromised. Examples of the eligible violations include:
- The loss or theft of a device containing an individual’s personal information
- Employees browsing sensitive records without authorisation or legitimate purpose
- Data breaches where that database includes the personal information of users
- When personal information is mistakenly given to the wrong person or party
Mobile devices, including smartphones and tablets, are covered by the new NDB regulations as they are responsible for handing significant amounts of data that may be associated with the personal information of Australian individuals. This information may include names, addresses, marital status, health histories, and bank details.
The penalty for failure to comply with the new NDB legislations is a fine of $360,000 for individuals and $2.1million for organisations. For smaller companies who meet the $3million turnover eligibility criteria, a fine of this proportion could cripple their organisation.
If you have concerns about how your business complies with the Notifiable Data Breach Scheme or are worried about how to act and recover from a breach, contact imei today. We can help ensure your compliance to the new data breach laws.
We look forward to hearing from you.