This is Part 5 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read the rest of the series.
So far in this series we’ve covered the most essential components of the Notifiable Data Breaches amendment to the Privacy Act, including who is affected, the implications, and what constitutes an eligible breach. This week, we discuss the changes we face under the NDB Act and how to prepare for the new law.
Digital security practices and the NDB Act
Digital security practice in Australia is likely to undergo significant change with the introduction of the NDB Act this year. The legislation will introduce a whole new way of thinking about data protection for Australian businesses.
Each year, cyber crimes are estimated to cost Australians $2 billion. Data breaches supply identity criminals with personal information — PayPal accounts, credit card details, bank log-in credentials, names, addresses, passports, and driver’s licences — that are in turn used in fraudulent acts.
When notification of an individual is voluntary it can be many months, or even years, before affected individuals are made aware of a breach. This leaves individuals completely in the dark when potentially malicious parties hold their information and renders them unable to take action to safeguard themselves. Right now, it takes companies an average of one year to process a notification, if they do so at all. Compare that to the average time it takes for cyber criminals to use information fraudulently — just 3 days — and it’s clear that most Australians will benefit from the mandatory notification scheme.
For businesses, there’s a strong incentive under the NDB Act to avoid data breaches; regardless of if they report the breach, the consequences can be severe. A Ponemon Institute report last year found that data breaches can incur an average of $2.51 million in costs and losses for a single business, through disruption and profit loss resulting from a decline in customer trust.
Mandatory notification will inevitably bring about a shift in public awareness of digital security issues — Australians are likely to hear about more data breaches in the coming years and become more aware of how companies handle their data. Companies will be legally obliged to respond sooner, resulting in individuals being made aware of breaches sooner, allowing them to better protect themselves. The NDB Act will eventually mean tighter digital security Australia wide.
Data destruction and the NDB Act
As part of their strategy to comply with the new law, companies need to ensure data destruction is a part of their protection protocol. Businesses subject to the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principals (APPs) are obliged to put in place reasonable security safeguards to protect the information they hold from misuse, loss, unauthorised access, disclosure, or interference. They’re also required to destroy or de-identify personal information once it is no longer needed. Companies are legally obliged to employ appropriate data security for live data, and to destroy all end-of-life data.
This means that correct data destruction is not only an easy way to help avoid unnecessary data breaches, but also constitutes a legal obligation. When drives are stored under security, or no longer function normally, the data they contain can usually be retrieved. Properly destroying hard drives and other data storage devices is the only way to ensure data is completely eradicated, which will consequently help safeguard your company from data breaches and comply with the law.
The employment of secure data destruction methods is one of many changes that will need to happen within all Australian companies as the commencement of the NDB Act draws nearer.
Preparation for the NDB Act
A recent report found under half of the companies surveyed think they can respond well to a data breach involving business confidential information and intellectual property. That number indicates the confidence of individuals within the company and reflects the lack of faith Australians have in data-holding organisations. Studies indicate that in some sectors (especially telecommunications, government, and banking) close to half of Australians expect an imminent data breach.
In some ways, the legislation is going to further this mistrust in the short term by publicising more breaches. Therefore, it’s essential that businesses start preparing immediately for the change. As a business owner you must become confident in your business’s ability to handle data securely and enact a breach response plan, along with reporting the breach if one does occur. As an employee, know your responsibilities and the potential risks involved.
The Privacy Act and the APPs inform privacy protection in Australia. Being familiar with these documents and following the 10 steps recommended by AVTEL Data Destruction experts in this blog post is a good place to start for good digital security.
Next week: In our final blog post in this series, we discuss best practice for security and compliance with the NDB Act.
For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.
This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.