New Data Breach Laws are Coming in February 2018 – Are You Ready?
We are in the middle of the Digital Age.
For years now businesses have been increasing their online presence, through the development of websites, regular social media posting and online data management. With so much of the population turning to Google to answer their every inquiry having an online presence is no longer optional for organisations, but a necessity.
It is no different for churches and not for profit organisations. Each passing year brings a greater expectation for our organisations to be present online. Most churches now have a website and social media presence along with some form of computing database for their members. This may be a Microsoft Excel Spreadsheet with names and numbers of congregants or the use of more specialist software such as Elvanto Church Management Software.
However with digital information and storage comes risk and the Government is now getting involved in protecting private information by creating laws to enforce the safe management of this data.
Organisations that collect and store personal information should be aware that the ‘Notifiable Data Breach’ (NDB) scheme comes into effect on 22nd February 2018.
This is essentially a reporting scheme for serious data breaches – i.e. breaches that could result in serious harm to individuals or organisations.
Who the scheme applies to
The NDB scheme applies to entities that currently have obligations under the Privacy Act. This includes many churches, charities and other not-for-profits, faith centres, agencies and businesses that collect and store personal and sensitive information – such as names, addresses, emails, and financial and / or medical data.
The Privacy Act stipulates that such information be collected only for a specific purpose, and stored securely to prevent unauthorised access, loss or interference. This includes keeping it in secure storage and / or destroying it when no longer needed – such as through shredding of paperwork and destruction of digital copies.
How privacy can be compromised
Cyber-attacks, information theft, and accidental or deliberate disclosure or loss of information can all result in data breaches.
Have you ever had an email from an unknown source saying something like “you are a lucky winner of $10,000,000, click here to receive your winnings”? If so you have already suffered from a cyber-attack. Hackers can use these links and documents to download dangerous software to your computer. There are many forms of cyber attack, the above example is defined as a Phishing attack, others include, Brute Force Attacks, Social Engineering, Denial of Service attack and Malware/Spyware attacks.
In some cases cyber attacks can lead to a privacy breach causing serious harm. The OAIC (Office of the Australian Information Commissioner) determines the following to be examples of ‘serious harm’ – threats to safety, significant financial loss, identity theft, loss of business or employment, reputational damage, humiliation, and workplace bullying.
Dealing with notifiable data breaches
Not all data breaches need to be reported. If for example an organisation finds or suspects that a breach has occurred, they will need to investigate the matter within 30 days of occurrence to determine if serious harm, as defined by the OAIC, is possible.
If the investigation finds serious harm is likely, they will then need to notify those affected. This can be done either by notifying all individuals or only those at risk, or by publishing a notice on their website.
The organisation will also need to submit a report to the OAIC, and take steps to prevent further harm from occurring – such as by limiting further access or by recovering lost information.
Tips for organisations
- Develop tight policies and procedures around the collection of information. This includes collecting it only for a specified purpose and storing it securely. If information is to be stored digitally, security can be managed through logins and passwords, access restrictions, backups and encryption.
- Appoint staff members to oversee how collected information is managed.
- Develop a response plan for notifiable data breaches.
- Consider conducting staff training sessions on the importance of privacy protection and information security and on how to recognise data breaches.
- Consider a Cyber Insurance policy which can provide assistance in case of a breach
If you want more help developing a Cyber Protection program, please feel free to contact us at EA Insurance Services. We would be happy to assist.
by Tess Oliver