Cybersecurity is undoubtedly one of the biggest risks faced by businesses today, compounded by the fact the issue is often overlooked or downplayed. Over recent years the threat of cyber attacks has gained a higher profile, with a number of scandals unfolding both within Australia and internationally, including the infamous 2016 Australian Census debacle and developing claims of Russian involvement in the US election. However, businesses and corporations would be naïve to think that only governments are targets for cyber attacks, as a number of factors mean the potential for data breaches is increasing rapidly, this applies to organisations and individuals.
A data breach can include any number of things, ranging from an internal or 'innocent' mistake such as a lost phone or laptop or an email sent to the wrong addressee, or an external cybersecurity threat such as a malicious virus or spyware, hacking, theft or a denial of service attack. Because Australian business are now collecting and retaining vast amounts of sensitive personal information on electronic servers, and in turn sharing this with more and more groups such as suppliers, contractors and partners, the Australian government has responded by passing legislation on the 13 February 2017 which will make data breach reporting to the Office of the Australian Information Commissioner (OAIC) mandatory. These changes bring the issue to the forefront for organisations, in line with the view it should be seen not only as an IT issue but one that affects all aspects of the business.
What the changes mean
The changes are implemented by the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which passed both houses on 13 February 2017. Business have just under a year to prepare for these changes. Organisations will have to notify OAIC in the event of an 'eligible data breach', which as per the legislation, happens where:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
A business entity is obligated to give notification where it has reasonable grounds to believe a breach has occurred. It is the responsibility of the organisation holding the files in question to notify OAIC, except where they are jointly held by two or more organisations (where it is only necessary for one organisation to notify).
An organisation is exempt from this requirement where remedial action has been taken as a response to the eligible data breach, which means that the unauthorised access or disclosure has been prevented or it is not likely to result in serious harm to the affected individuals.
Penalties of up to $1.8 million will apply for repeated non-compliance.
Business should begin reacting to these changes now. This could mean making sure they comply with their privacy obligations. This could include making sure the resources are available to identify a breach if it occurred, or discussions with employees to ensure they know the current procedures for information handling. And of course, it is always good practice to have a plan in place as to the procedure to be carried out in the event of a breach.
The Australian Securities and Investments Commission (ASIC) identifies cybersecurity as a corporate governance issue, and for this reason it is important directors and boards are aware and have an understanding of the threat it poses. Of course, this threat will be different for every type of business or corporation. It could mean that it should comprise part of a director's duties, a risk management framework may be required, or it may be as simple as directors playing a role in promoting awareness and cultivating a corporate culture of good practice in preventing cyber attacks.
Business and corporations still have just under a year to prepare for the changes coming to reporting of data breaches, however, it is important that an organisation is continually working towards creating a corporate culture that is more engaged with and aware of the risks that cybersecurity attacks pose.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.