7/30/2019 Data privacy Breach Compliance Guide
1/1
Will data breach legislation come into place?
The Federal Attorney Generals Department is
currently considering industry submissions on the
need and impact o ederal data breach notication
(DBN). Attorney General Mark Dreyus is broadly
supportive o the legislation.
Australias Privacy oce has released a revised guide
to complying with possible DBN rules which urges
organisations to prepare in advance.
Privacy commissioners agree that DBN rules are
necessary. Some have hinted that Australian states
may introduce their own rules.
When is data breach legislation likely
come into place?
The DBN is likely to orm part o a suite o privacy
reorms that come into eect rom March 2014,
however, the Government has acknowledged DBN
reorms will not be in orce at that time as the
industry will require sucient time to adapt their
systems.
Proposed DBN laws in the European Union have
allocated 18 months or aected organisations to
comply rom the date they would come into eect.
What will constitute a breach?
The Federal Government is looking to overseas
models to design its own DBN rules. Caliornian DBN
law is considered the poster child o existing rules
and is the most mature model.
Caliornian DBN law denes a breach as a loss o
a record that includes a customers rst name and
surname along with a social security number; driverslicense or
identity card number, or bank account
inormation including the necessary security or PIN
codes to grant account access. It also includes loss
o medical records and insurance inormation.
The Federal Government will likely be initially
conservative in setting what breaches need to be
reported publicly.
What are the possible penalties?
Reorms set to come into eect in March 2014 allow
the privacy oce to take small-scale oenders tocourt to ace nes
up to $22,000 or individuals
and $110,000 or organisations. Repeat and
serious oenders would ace nancial penalties
o up to $220,000 or individuals or $1.1 million or
organisations.
Federal Privacy Commissioner Timothy Pilgrim said
he could orce organisations to patch identied faws
or adopt better security systems.
Pilgrim says DBN laws should require organisationsto report
breaches to his oce and in certain
circumstances he wishes to retain the power to
decide i aected individuals should be notied. He
believes the privacy oce should have the power to
compel organisations to notiy those aected.
How should organisations prepare and respond?
The response to data breaches must be
deliberate and systematic. Australian Inormation
Commissioner John McMillan states that the quality
and eectiveness o the response can rank in
importance alongside the gravity o the data breach.
To this end, organisations should implement incident
response mechanisms required to deal with data
breaches, including a communications/PR policy
that dictates how the organisation will deal with
inquiries rom the press and customers in the event
o a breach. It must be tested and understood by all
sta.
SC Magazine recommends organisations begin by
implementing the leading our recommendations o
the DSDs Top 35 Mitigation Strategies.
Mandatory Data Breach Notication
A guide to compliance
