Your business might pride itself on great service or friendly staff, but your success is really built on the trust your customers have in you. After all, when they hand over their personal information, there’s some risk taken on their behalf.
Unfortunately, cybercriminals want to damage this trust. They’re a persistent bunch and are increasingly focused in Australian small and medium business. This is why the government is making data breaches easier for your business to handle. The name of the game is transparency but also making sure your business can maintain that high level of trust with your customers.
So, what’s new?
Before February of 2017, your business was only encouraged to report data breaches to the Office of the Australian Information Commissioner (OAIC). In other words, you weren’t legally bound to say anything. However, a recent change to the Privacy Act calls for a more action when handling personal data. Personal data is “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”.
As a business manager, this should be a weight off your shoulders. Think about it. It’s much harder to tackle cybercrime on your own, given it’s done in the shadows of cyberspace. In fact, the problem is so widespread it’s said to cost the global economy $500 billion a year.
The newly expanded law – called Notifiable Data Breaches – is designed to shine a light on this activity. If you believe there’s been some unauthorised access to your business where information has been compromised or stolen, you need to move promptly. This type of breach or theft may cause serious harm to someone and really damage your business in the process.
Be ready for the threat
It’s important to review your cybersecurity processes and talk to your employees before the changes take effect. Here are a few steps to get you started:
- Check your current plans and processes.
What’s your business currently doing to prevent cybercrime and where does it need to improve? Make changes where necessary.
- Make sure everyone on your team knows their role.
Explain the law and write down steps to help manage your internal compliance around it.
- Understand the jargon.
The legal phrasing used for a breach is ‘unauthorised disclosure’. Fine, but keep it simple. If you sense there’s a risk to someone, there probably is and you need to act. Also keep in mind that serious harm isn’t just physical, it includes psychological, emotional, economic and financial harm, too.
- Raise awareness.
The new scheme is about better protecting everybody – both your business and consumers. Once your team members know how to handle a security breach, the crime will be easier to pin down. It’s all about preparation
Okay, there’s been a breach, now what?
If private information was broken into or stolen from your business, take note of it and how your customers might be affected. Firstly, you must prepare a statement about the data breach and send it to the OAIC.
Secondly, you need to tell impacted customers about the incident and how they should respond.
There are three different ways of notifying them:
- Tell each of the people impacted
- Also, tell those who might be potentially at risk of serious harm
- If you can’t get in touch with these people, then publish a statement on your website and publicise it. This might include advertisements in newspapers, on websites and social media platforms.
Remember, if you fail to act, you can face penalties that include fines of $360,000 for individuals and $1.8 million for organisations. It’s just not worth the risk.
What type of business is impacted by this law?
The Privacy Act applies to every type of business in Australia. However, the new data breach law is for every organisation with an annual revenue over $3m, and for any smaller businesses (under $3m in revenue) that handle personal information.
For example, insurance brokers, bankers, accountants, attorneys, psychologists and health insurance providers all routinely work with people’s personal data.