21 February 2018
New Australian privacy laws came into force on February 22. Experts warn you may be left scrambling if your SME hasn’t locked down personal information and developed a response plan to deal with privacy breaches.
Changes to the Privacy Act mean Australian businesses with annual turnover in excess of $3 million will be required to notify their customers and the Office of the Australian Information Commissioner within 30 days should they suspect or experience a serious data breach.
But what does a serious breach entail – and where should you start, if you think you’ve had one?
Essentially, it’s any situation where personal information – think customer names, email addresses, phone numbers or more sensitive information such as health details – is compromised, Macpherson Kelley Lawyers IT principal Malcolm McBratney explains.
It doesn’t take much to fall within that definition, McBratney points out.
“Someone’s provided information about an individual to the wrong person…it’s not a very high bar.”
“Your system is attacked and you suffer a phishing attack, or someone loses their mobile phone and it’s not password protected, or someone’s provided information about an individual to the wrong person…it’s not a very high bar,” he says.
Apart from unauthorised access to or disclosure of personal information, serious harm has to be likely to one or more individuals (after any remedial action).
If a breach does occur, you’ll need to react appropriately and quickly, or risk being fined yourself by the Office of the Australian Information Commissioner; a statutory body which has the ability to impose stiff financial penalties – up to $1.8 million for serious or serial offenders.
Even if your SME is too small to be impacted by the new privacy rules, this is still a worthwhile exercise. A serious data breach can impact your customers and dent your business reputation; mitigating the damage is easier if you are prepared and can respond quickly.
“There’s no need to make it War and Peace,” McBratney says.
“What’s needed is a simple document outlining how you’ll determine whether a breach has taken place, who’ll be responsible for doing so, the steps you’ll take to remedy the breach, based on the nature of the incident, and how you’ll go about issuing a statement to customers and the Commissioner.”
It’s a good time to review your contracts with suppliers, if you outsource any computing or communications functions.
“Contracts should state that if the supplier experiences a data breach, they’ll inform you immediately and take steps to fix it in a timely manner,” McBratney says.
The case for staying safe
Prevention is always better than cure, so now is the time to put some practical strategies in place. Regular training can remind staff of cyber-security basics – changing passwords frequently, securing laptops and smartphones and not clicking on unsought email attachments.
There’s a strong economic case for vigilance, according to Troy Filipcevic, managing director of underwriting agency Emergence Insurance, who’s helped a string of businesses pick up the pieces financially, after they’ve fallen victim to phishing and hacking attacks.
Ransomware attacks can put companies out of action for anywhere between a day and several weeks, Filipcevic says.
In the event of a serious data breach, cyber liability insurance may provide financial protection for your business. Policies can cover losses arising from hacking, data theft or accidental loss of client information, including the costs associated with cyber response and business interruption. For more information about cover, contact your Steadfast insurance broker.
CASE STUDY: How Mooney Real Estate safeguards personal information
Western Sydney’s Mooney Real Estate has employed a host of data protection practices from the get-go, according to co-owner Peggy Willcox.
Established in 2016, the agency employs 11 staff and manages a rental roll of 200 properties.
“Given we handle data like driver’s licences when people make tenancy applications, we need to have good safeguards in place,” Willcox says.
“We use a software system with different levels of security, depending on people’s roles, staff can’t access it from their phones and we have regular security training so staff can identify phishing scams.”
It’ll be business as usual after February 22, Willcox says.
“We’ve always had good policies and practices so nothing is really changing for us, other than the fact we may have to report it if there’s been an incident, and we have a plan to do that within 24 hours.”