Companies that collect your information are required by law to keep it secure. They must have reasonable protection standards and keep them up-to-date so unauthorised individuals don’t access have access to customer/employee/associate information. However, data breaches can occur, regardless of all the protective measures in place. Until recently, companies weren’t required by law to inform you if there was a data breach, but that has changed with the new Data Breach Act.
Here’s what you need to know about it:
What was the state before this act?
Before these new laws, companies were encouraged to inform people about data breaches. They weren’t required to send any information to the Office of the Australian Information Commissioner, but it was generally advisable. Many companies did this for the sake of transparency, but not all thought it necessary. Businesses could manage their compliance with Australian Privacy Principles on their own. This means victims of a data breach seldom knew if their personal information was out for unauthorised individuals to see or use.
What does the new act say?
Organisations and establishments with obligations to secure data under the 1988 Privacy Act must now let everyone know if there’s a data breach that can cause serious harm. If they don’t provide information, companies can be fined up to $2.1 million. You can now expect to receive data breach notifications and companies will provide information on how and when they will convey these messages. People can also file a privacy complaint against OAIC if they suspect their privacy has been breached.
What is considered a data breach?
When personal information is accessed by or leaked to unauthorised people, it can be considered a data breach. For example, if a storage device what includes a customer’s personal information is stolen; it is considered a data breach. Other examples of this include personal information accessed through hacking or shared mistakenly with unauthorised individuals.
When will you receive breach notifications?
The keyword in this is “serious harm”, as not all breaches will be reported. Thousands of relatively harmless data breaches happen all the time, these can’t be reported easily. If some customer information falls into wrong hands and has the ability to cause serious harm to their clients/ customers, the company must report it promptly. This includes financial, physical, or mental harm. Here’s what can be considered as serious:
- Information leaked to an abusive or criminal ex-partner.
- Personal banking information that can lead to financial fraud.
- Identity theft, which can have a serious impact on personal, professional, and financial lives.
- Information that can cause harm to reputation and personal relationships.
- Data that can cause serious psychological harm.
Entities under this act must inform promptly if any data leak places you in jeopardy. This can be done through a personal email, SMS, direct call, or a notification on their website. It has to be done as soon as the problem is spotted, which gives victims the time to prepare or ensure their personal safety.
What information will a notification contain?
Companies with send a detailed message, so victims of this breach know what to do. Every message will contain information like:
- The company name and contact details.
- Data on what was accessed, if there was any personal information, and when a breach occurred.
- A detailed view of a breach.
- Advice on recommended steps.
It’s advisable to take quick steps immediately after the breach has occurred. Both the company and victim must act to protect their interests. The company should contact OAIC as soon as they have all relevant information, including details on their security measures. This helps victims secure their safety and companies to maintain their reputation.
For more information on how Max My Profit can help you with your business, please contact us here