Good question! Firstly, realise you’re a potential target because you are a start up! Despite your relatively small organisation size, it is important to create a foundation of strong data protection and security practices. An information-centric approach for small businesses could be key to mitigating the risk posed by hackers in attacking vulnerable small entities.
While Australian privacy and information security laws are complex, it is important to understand you and your businesses obligations. If your business suffers a notifiable data breach (NDB) there are important steps to follow to comply with Australian privacy laws.
What is the Privacy Act?
The Privacy Act 1988 (Cth) (the Act) regulates the way organisations handle, disclose and use an individual’s personal information. The Act primarily regulates Australian Government agencies and organisations with an annual turnover greater than $3 million, small businesses who opt-in or businesses who deal with health data and credit reporting.
What is the NDB Scheme?
Any organisation regulated by the Privacy Act must notify their affected individuals and the Office of the Australian Information Commissioner (OAIC) when an information data breach is likely to result in serious harm to an individual.
A data breach occurs when personal information held by an organisation is lost or subjected to access or disclosure. Most commonly, this regulates data information hacking and accidental disclosure (such as releasing personal information to the wrong person).
An organisation that suspects an eligible data breach may have occurred must act quickly to assess the incident. We recommend you have a legal expert assess whether or not a data breach falls within the NDB scheme, thereby mandating its reporting to the OAIC and affected individuals. If you get this wrong, the implications can be significant.
What happens if I have an NDB incident?
In the event that a notifiable data breach incident occurs, you should complete an Eligible Data Breach Statement within thirty (30) calendar days of the data breach. This statement is available online on the OAIC website. Then, using the Eligible Data Breach Statement content, you should prepare and send out a notification separately to those affected by the breach. We recommend having a legal professional draft this notification and, on occasion, a public relations or brand reputation expert involved in the communications.
Finally, you should consider whether you are required to notify your insurer under any policies of insurance (cyber insurance or otherwise). Early notification can offer significant assistance in funding legal or cyber advice and in the preparation of the Eligible Data Breach Statement.
What happens if I fail to notify the OAIC?
The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual’s privacy. The maximum penalty for the successful prosecution of this interference may include a civil penalty of up to $402,000 for individuals and $2,100,000 for corporations.
How does my organisation stay protected?
While it is impossible to guarantee that personal information is entirely secure and safe, there are several preventative and response measures your organisation should implement to protect against and lessen the impact of a data breach.
To prevent data breaches, there are organisational and personnel prevention methods to deploy within your organisation. To protect the organisation broadly, ensure physical and electronic records are stored securely and only accessible to the personnel who require access, that you use up to date adequate security software, conduct regular cybersecurity risk assessment audits and encrypt and back up sensitive data. To protect individual personnel, conduct staff training to raise awareness and implement data security organisational policies such as a password policy to force personnel to have robust, secure and unique passwords which are changed often.
We also highly recommend preparing a comprehensive data breach response plan. This should outline your organisation’s strategy for identifying, containing, assessing and managing a data breach incident. These plans help limit the consequences of a data breach and support the confidence customers or clients will have in your ability to manage their information.
This plan should cover what constitutes a data breach, a strategy for containing, assessing and managing breaches, the roles and responsibilities of key personnel within the organisation, how to document the data breach and the review and evaluation of how to prevent a similar breach in the future.
Our team has extensive knowledge in the privacy and data handling legal sector. If you or your business needs advice on a potential notifiable data breach that may have occurred or would like us to prepare a comprehensive data breach response plan for your organisation, please don’t hesitate to contact a member of our Bolter team here.