Upcoming penalties of up to $1.7 million for companies, and $340,000 for individuals, means professional firms and their clients will need to be prepared for the Privacy Amendment (Notifiable Data Breaches) Act 2017 to ensure they do not pay fines. These penalties do not include reparation costs for any customers who may be impacted by the breach by professional firms and their clients.
In a snapshot, the law will require organisations to notify affected individuals and make a report to the Privacy Commissioner where a data breach, that could cause ‘serious harm’, has occurred. The term ‘serious harm’ may include physical, psychological, economic or financial harm, but wouldn’t include individuals being distressed or upset.
The notification will need to include a description of the breach, the kinds of information concerned, and recommendations to affected individuals about the steps they should take in response to a serious data breach. Not notifying those affected may attract a fine for both the individual Director(s) and the company.
This is a fundamentally different set of provisions to what is in place at present and conveys a significant onus on businesses dealing with the data of customers and clients to ensure that it is kept in a secure cyber environment.
Under the new laws, in the event of a breach, professional firms and your clients' organisations must demonstrate how they have complied with the relevant legislation and have taken reasonable steps to protect the organisation’s data and systems.
Examples of breaches that we believe would require reporting on under the new laws include, but not limited to:
- Ransomware attacks
- Theft of customer details
- Data theft using USBs
- Stolen credit card details
- Malware attacks
- Unauthorised access to financial transactions by unknown parties
For further information, please contact your regular Pitcher Partners representative or a member of the Critical Point Network team.