Especially for those of us in e-commerce, we know that when individuals or companies transact business on the web, a trail of information is being gathered – names, addresses, phone numbers, tax file numbers, credit card information, even personal medical information.
Identity and intellectual property thefts, fraud, infiltration resulting from hacking…the scare is real. No company wants their precious data to be available to whomever wants to pay for it. But more than that, no business, or government for that matter, wants their customer’s personal data out there and saleable to the highest bidder. That’s just bad for business (and hurts your chances come election time).
What you might have missed though was the announcement of some tough new rules around data protection introduced recently by the Federal Government. The Notifiable Data Breaches Scheme is the government’s way of getting medium-large businesses to tighten their data security systems.
Although the Government’s timing looked like it was in response to Facebook’s recent debacle, this was already in the pipeline.
Whilst these new rules currently only apply to businesses turning over more than 3 million dollars, we thought it might be a good opportunity for everyone that works with customer data to review their data protection policies and processes.
What is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches (NDB) Scheme is the long-awaited restructuring of the data protection laws initially put into place in the 1988 under the Australian Privacy Act. It was designed to protect individuals whose personal information may have been involved in a data breach and includes recommendations on steps that individuals should take to minimise the damaging effects and altogether stop data breaches from happening.
How does the Notifiable Data Breaches Scheme work?
To protect clients’, users’ and customers’ sensitive information (email addresses, phone numbers, identity, credit card information, healthcare information etc), the NDB Scheme holds the business accountable for notifying individuals whose personal information is illegitimately accessed.
The NDB Scheme covers all sorts of data that is stored on virtual servers and storage that’s deemed to have the potential to do “serious harm” to the individual should unwanted exposure occur.
Businesses will not only have to notify the data owners, they’ll then also be required to inform the Office of the Australian Information Commissioner (OAIC) if there’s a data breach.
Categories of breach
Under the NDB Scheme, data breach can be divided into three categories:
1. Unauthorised access
Unauthorised access of client information occurs when an employee or contractor browses personal information without any legitimate purpose or when a third-party entity gains access to customer information without authority (ie: hacker).
2. Unauthorised disclosure
Unauthorised disclosure is when client personal information is made accessible to entities that should not be privy to the info, intentionally or not. Think: accidentally publishing a file full of sensitive client data or leaving classified documents behind in an old filing cabinet (government anyone??).
3. Loss of personal information
Loss of personal information occurs when hard disks and portable storage devices may be misplaced or fall into the wrong hands.
What are the consequences of noncompliance of the Notifiable Data Breaches Scheme?
The enforcement of the Notifiable Data Breaches Scheme or NDB can come in three forms:
- Data audit
- Risk assessment
- Cybersecurity implementation
Inability to comply with these new policies and guidelines may result in fines of almost $2 million – so it’s not something to get wrong.
Again, these sanctions are applicable to, government agencies, non-profit organisations, health service sectors and business entities that turnover $3 million in revenue a year that fail to adhere to these OAIC regulations, effective February 22, 2018.
Where does this leave you?
In short data security (online and off) isn’t just an IT issue anymore. Everyone from senior management and founders down to junior employees must be across it. And if you have off-shore contractors with access to protected data, you’re liable for ensuring they protect your data too.
As enforcement of the NDB Scheme matures, there will be an overhaul on the existing standards of data privacy and protection.
Online businesses, regardless of size, and especially if you’re in growth mode, simply must keep up to date with these policies to your ensure compliance with the regulations.
With uncertainties around how strictly the Notifiable Data Breaches Scheme will be enforced, it will be better to err on the side of caution and brush up on the regulations, put in tougher safe guards rather than risk incurring significant fines.
Consider your customers’ privacy a commodity that needs to be protected at all costs.
If you’re contemplating up-levelling your customer service logistics to give you more time to focus on the things that really matter in your business, we can help. You can give us a call on +61 2 9828 0111 (Sydney), +61 3 9240 300 (Melbourne) or +64 9 263 8855 (Auckland) or drop us a note via the form below.