Australia's New Data Breach Legislation: What You Need to Know

Australia's new data breach legislation takes the form of The Privacy Amendment Act of 2017. It makes a small-yet-significant change to the Privacy Act of 1988 that will officially go into effect on February 22, 2018. 

Understanding exactly what this new legislation is, and the potential consequences that it holds as a result of noncompliance, is essential to operating safely and securely in the digital age moving forward.

What is The Privacy Amendment Act of 2017?

In essence, this new Australia cybersecurity legislation means that organisations that are already subject to the Privacy Act (otherwise known as APP Entities) will need to quickly notify the Office of the Australian Information Commissioner, along with any other people who may be affected, that an eligible data breach has occurred. 

Organisations (including Federal agencies) that are subject to the Privacy Act should begin taking steps now to guarantee that all of their internal practices, policies, and procedures will allow them to meet these new obligations by the given deadline. If not, they could face incredibly severe penalties and fines as a result.

Why are These Changes Important?

This new mandatory reporting is so important (and the consequences are so severe) largely because the issue of cybersecurity itself is one of the most critical that we face in the modern era. Cybercrime in general is a problem that already costs the global economy roughly $450 billion per year according to most estimates. Unfortunately, it's also a problem that is only going to get worse before it gets better. 

To put things into perspective, in 2015 cybercrime damages reached $3 trillion globally. By 2021, that number could rise to an astounding $6 trillion.

Even specific types of cyber attacks are growing more frequent (and more costly) by the year. Ransomware alone cost users around the world $325 million in damages in 2015. By the end of 2017, that number had hit $5 billion. Keep in mind that this is just for one particular type of cyber attack — a particularly effective one at that. 

It's clear that this is absolutely something that needs to be addressed sooner and governments around the world are finally starting to step up and answer the call, taking an active interest in protecting their citizens, their country, and their economy from hackers across the globe. These new Australian cybersecurity laws are simply one of the most recent examples of this in action. 

How Will These Changes Affect You?

To understand precisely how this new Australia cybersecurity legislation will affect you, you must first understand exactly what APP Entities are now required to do. In the event of an eligible data breach, which is defined as a situation where there has been a confirmation or a reason to believe that a cyber attack has taken place that could result in serious harm to any individual due to unauthorised data access, organisations will need to begin mandatory reporting and notification by way of a two-step process.

First, the affected organisation will need to create a statement containing as much information about the breach as possible, which will then be provided to the OAIC. Next, the organisation must notify anyone who may be affected by the breach — meaning anyone whose information may be compromised or at an increased risk. 

From the moment that an eligible breach or other cyber attack takes place, organisations essentially have 30 days to complete the aforementioned two steps under the new Australian cybersecurity laws. If they do not and that business is then found to be breached, it could be subject to fines of up to $1.8 million. Furthermore, the directors of that organisation could face fines of up to $360,000 per breach. So to say that compliance with this new mandatory reporting legislation is important is something of an understatement.

Powernet: Your Partner in IT Strategy

At Powernet, we believe in being more than just a managed services provider due to things like The Privacy Amendment Act of 2017, because the consequences of noncompliance are so severe and organisations of all sizes need all the help they can get.

Before the new laws go into effect, it is recommended that all Australian businesses audit their current IT security processes to help guarantee that they have adequate protection not only to avoid a cyber attack, but also to begin preparing a data breach response plan as early as today.  By doing so, they help make sure that if a breach does occur, they can respond as quickly as possible to avoid the hefty fines outlined above.

If you'd like to learn more about Australia's new data breach legislation, or if you'd just like to find out more about what a managed services provider can do for your organisation, don't delay — contact Powernet today.