The more reliant society becomes on digital technology, the more commonplace data breaches are. In early 2018, Australia enacted new laws that affected the way that companies react if they are the victim of a data breach. Since its enactment, businesses have been required to inform not only the Australian government but also the individuals affected by the breach if a company felt that their IT system was breached and their client’s personal information was exposed.
These steps taken by Australia’s Parliament are understandable, especially in light of the many high profile data breaches that have taken place in the past few years. One only needs to think about what happened to Uber. They suffered a tremendous data breach that led to a reported 57 million people having their personal information stolen. What made matters worse is that the company kept the breach secret for more than a year.
Something similar happened with the Red Cross. They suffered a breach, and the result was that more than 500,000 blood donors in Australia potentially had their personal data compromised. With breaches like these becoming more common, it’s understandable that the government felt it necessary to put regulations in place to keep people’s information protected. If there is a breach and a person is notified immediately, they can take steps to protect themselves before their information is used in a nefarious way.
What These New Laws Mean
Australia’s breach reporting laws came into effect at the end of February 2018. These laws are designed to mirror similar laws that have been put on the books in countries like the United States. In Australia, it is known as the Notifiable Data Breaches scheme.
This law applies specifically to businesses or organizations that are required to abide by the Privacy Act. This means that businesses, nonprofit organizations, government agencies, health service providers, and other organizations that had an annual turnover of at least $3 million will need to adhere to this law. In the vast majority of cases, a small business that does not make more than $3 million will not be subjected to this law. Of course, there are a few exceptions that are laid out in the legislation.
How Will This Law Effective Business?
Let’s say that a business suffers a data breach. It has 30 days to notify the individuals who have been affected by the breach that the breach has taken place. In addition to notifying an individual or government entity about the breach, they also need to provide actionable recommendations about what steps the victim should take as a result of the breach.
The Australian Information Commissioner must also be informed about the data breach. The Australian government has made this process somewhat easier by making it possible for businesses to include this information in a statement that can be sent online.
What is meant by an eligible data breach? Basically, it means a data breach where an unauthorized individual or entity gets access to, has the ability to disclose or causes the loss of personal information that is held by an entity, be it a business or governmental agency. The information that is part of the breach would have the potential to cause harm to the individuals who the information is about.
There are a couple of ways that a breach of this sort could happen. One way is for an individual, such as a hacker, to break in and steal the data. Another way is for an employee or someone who is authorized to see and manipulate information to accidentally provide a person’s private information to the wrong person. For example, a health chart may be given to someone who has a similar name.
It’s important to note that the law is not designed to be retroactive. Anything that happened prior to February 22, 2018, is not included under this law. This is true even if the breach is not discovered until after February 2018.
There is a difference between breaches that require notification and those that are deemed non-notifiable. If an organization can prove that a breach has taken place but they have taken the steps necessary to prevent the information that has been acquired from being a potential danger to those who the information is about, then a notification may not be required.
What If a Company Does Not Want to Report?
Well, the negative consequences are twofold. There is a negative consequence that will be imposed on the individual or the organization that fails to report, and there will be the negative consequences that the victim may experience.
If an organization opts not to report an eligible data breach, they could face fines up to AU$1.8 million. Individuals who fail to report information may face fines up to AU$360,000. There is some debate as to whether or not those findings are steep enough. Maybe an organization that is barely making $3 million a year will feel the sting of a $1.8 million fine. But an organization that’s making hundreds of millions or billions of dollars annually may not see the fine as enough to dissuade them from engaging in unsafe data practices.
But what made dissuade them is the effect that their data protection practices have on their clients. If a person has their information stolen and then they become a victim of a phishing attack, identity theft, money laundering, or fraud, they are going to hold the business that let their information slip accountable.
Consumers can take steps to protect their personal data by using best security practices on their computer. For some, this may include using a VPN like Avast VPN to keep their online information safe.
It’s reasonable to think that the current changes that have been made to privacy laws in Australia as well as in other countries around the world are just the beginning of a process that’s going to be refined as data protection technology and techniques improve to combat new threats posed by criminal elements.
What do you think about the new data protection laws in Australia? Do you think they are enough to make a difference when it comes to protecting consumer privacy? Let us know in the comments section below.