Governments are increasingly taking control of cybersecurity issues for the citizens and organizations they serve. Just last year, Europe passed the General Data Protection Regulation, or GDPR, which requires businesses who handle European citizen’s data to notify customers if they experience a data breach, as well as report it to the regulatory body. In the US, 47 out of 50 states have established state legislature touching on data breach notification requirements, and Canada requires hacked organizations to notify both customers and the Privacy Commissioner.
It seems that with the sharp increase in hacking incidents around the world in recent years – and the many adverse effects they pose – governments can no longer leave it up to business discretion as to how to handle customer data before and after incidents.
Now, it’s the Australian government’s turn to tighten their security regulations. A major amendment to Australia’s ‘Privacy Act 1988’, called the Privacy Amendment (Notifiable Data Breaches) Bill 2016, was approved by the Australian Parliament this past February. The amendment introduces “mandatory data breach notification provisions for agencies, organizations, and certain other entities that are regulated by the Privacy Act.” Failure to comply could cost an individual up to AU$260,000 and an organization would face fines of up to AU$1.8 million.
So, Australian organizations – are you prepared for this new change? Here’s a deep dive into the Privacy Act, the new amendment, and how you can prepare your business for compliance.
What Exactly is Privacy Act 1988?
Privacy Act 1988 is an Australian law meant to help regulate how businesses handle personal and sensitive information. The Privacy Act is made of 13 underlying standards, referred to as the Australian Privacy Principles, or APPs, which were amended to the act in 2014. The Act defines personal data as any “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable,” including names, addresses, phone numbers, dates of birth, medical records, bank info, and even includes signatures along with opinions or commentary on a specific person.
The Privacy Act is a required regulation for all Australian government institutions, any private sector or non-profit business with an annual revenue of at least $3 million, along with all private health care providers and any business that deals with buying or selling personal data.
The 13 APPs involved in the Privacy Act are fairly comprehensive when it comes to securing personal data. They cover how data should be managed, how to deal with unsolicited data, how to secure it, and rules on the accuracy and correction of data, among others.
What Do I Need to Know About the Privacy Amendment (Notifiable Data Breaches) Bill and Act?
The act has been in place since 1988, and various amendments before now have been added to address further points. Now, with the Privacy Amendment (Notifiable Data Breaches) Bill 2016, pegged to go into effect in early 2018, companies are additionally mandated to notify customers when their data has been exposed.
A data breach is considered ‘eligible’ to be reported if “personal information held by an entity is subject to unauthorized access or disclosure, and a reasonable person would conclude that the access or disclosure would… likely result in serious harm to any of the [affected] individuals.” The serious harm part refers to any physical, emotional, financial, or psychological harm.
Exceptions on data breach notification requirements exist, including if the organization takes action quickly enough that no harm is done, or if a reasonable person would determine that the breach did not cause significant harm to any single individual.
Australia has recently dealt with a number of security breaches and privacy issues recently. 2016, for example, saw a 25% increase in incidents over the previous year. Last year also saw the continent’s biggest data breach ever, with 1.3 million health records exposed. Australian government bodies been dealing with data breaches themselves, as the Australian Bureau of Statistics reported 14 data breaches from 2013 to 2016, and some Australians even refused to respond to census questions out of fear of their privacy. Reducing identity theft, which costs Australian’s nearly $2 billion each year and affects between 4 and 5 percent of the population annually, is another welcome reason for the bill.
Suffice to say, this amendment serves not only to better protect businesses and the customers they serve, but also to help Australian citizens – and anyone entrusting their personal data in Australian businesses – gain back faith when it comes to privacy and security concerns.
3 Key Ways to Prepare for the Bill:
The new amendment creates a compelling opportunity for businesses to reduce risk by better identifying any gaps or vulnerabilities that could lead to a data breach. Here are four ways to embrace the new regulation and prepare your business for its’ requirements.
- Evaluate your data collection policies and their effectiveness
Make sure you’re not collecting more data than you need to, and what your policies pertaining to how data is handled internally and shared externally to determine whether they comply with the Privacy Act and the Privacy Amendment Bill. Additionally, public cloud users should ensure their providers follow the regulation as well – or switch providers before the bill goes into effect. The bill includes provisions on organizations using 3rd parties to store and handle personal information: Protection is required no matter where your customer data is stored.
- Perform security testing to ensure your applications securely store customer data
For any organization developing software, it’s crucial to continuously test your applications for security vulnerabilities. Databases and web apps are always at risk of attack, and it’s up to the security team to ensure their security, including the security of any data you’ve collected. Mitigate security vulnerabilities by employing security testing throughout the SDLC.
Read more about the Secure SDLC here.
- Test your database security continuously
Don’t let what happened to Anthem in 2015 happen to you – make sure your database is secure against attack. Ensure authorization and authentication policies follow the principle of least privilege and secure your database against SQL injection, one of the most prevalent database (and web app) security issues.
Read more about Database Security here.
Continue reading with A Short Guide to Data Security in the GDPR