Australian Boards of Directors Must Act on New Data Breach Legislation

Cost of Data Breaches at Australian Companies (AU $)


Source: IBM, Ponemon Institute

In February 2018, the Australian Federal Parliament intends to pass Australia’s privacy law to introduce a mandatory data breach notification regime. Implementation is imminent on 23 February 2018. It is subject to agencies and organizations subject to Australia’s  Commonwealth Privacy Act 1988 . Failure to comply with the guidelines may result in AU $ 1.8 million (US $ 1.36 million), as well as lawsuits against board members who may be liable for non-compliance. Australian boards must take action to create a company-wide strategy for breach detection and notification, identifying data holdings and the controls for data, as well as the budget for security.

The passage of a new law, amendments to Australia’s  Commonwealth Privacy Act 1988, governing data breaches

Australian board members individually liable

Data breaches are costing Australian organizations to an average of AU $ 2.51 million (US $ 1.92 million) – approximately AU $ 139 (US $ 106.50) per capita – a report from IBM and the Ponemon Institute has been found. Up to 70,000 records have been breached in malicious or criminal attacks, and 48 per cent of companies have surveyed major data breaches.

As Diligent CEO Brian Stafford notes , most organizations in  Australia  were under-prepared for  data breaches . “The poor response capabilities directly to the issue of accountability at the  board  level.”

In fact, Australian board members were unable to handle breaches properly, according to Sydney-based UNSW Business School experts Kayleen Manwaring and Pamela Hanrahan. “Australian directors are more at risk of prosecuting than their US counterparts, especially given the tools available to Australia’s corporate regulator to hold directors accountable. The political climate at the moment is about individual heads on sticks, “says Hanrahan.

Australian companies can expect fines of up to AU $ 1.8 million for non-compliance. Manwaring notes that the potential for reputational damage to the company is considerable.

Notification Requirements

Experts at the Sydney office of Clyde & Co. Explained that they are applying to all organizations which are subject to Australian privacy principles (called “APP entities” under the amended act) – these are, broadly, companies and organizations that handle “personal information or sensitive information.”

See how Diligent’s Governance Cloud can help you make better cybersecurity practices and manage reporting.

The Australian National Information Commissioner (OAIC) is on “eligible data breach,” which means “a breach where:”

  • There is unauthorized access to, or unauthorized, disclosure of, information; or
  • Information is lost in circumstances where unauthorized access or disclosure is likely to occur; and
  • A reasonable person would conclude that the access or disclosure is likely to result in serious harm to anyone.
  • “Harm”  can include physical, psychological, emotional and financial harm.

Factors to be considered in serious harm to the information. If an entity is unsuccessful, it must carry out a reasonable and expeditious assessment and take no longer than 30 days to make that determination.

Once it has come to an end, it will have to wait until it is done contents of the statement to those to whom the information relates, or to those at risk from the eligible data breach. “

Australian Directors should take steps without delay

Directors need to be confident that the cyber risks are adequately reflected within the organization’s risk framework. Directors therefore need to ask questions about resilience and response to incidents.

A report from the Australian Institute of Company Directors advises that, “Good privacy is good business. In a first place. As the new reforms kick in, directors should be asking about their organization. “

The Institute recommends taking the following steps:

  • Inventory all data. Intellectual property, customer database or credit card numbers. Today, data may reside on any number of internal systems, but also with partners like suppliers, credit managers, marketing firms, etc. Companies are responsible for all this data.
  • The next question is: What controls are they putting in place and what is the overall budget for security? How much more will it need is an immediate issue.
  • Incident response plan. Key to the effective management of any incident is an incident response plan. The new law requires that a rapid response be made: Is this an eligible data violation? Remember that there is a 30-day time limit for response. Who is on the response team?
  • External experts. Will they be required and how quickly can they be mobilized?
  • Who’s taking the steps to be taken and compiling a report, and who wants to have access to it?

“A Worsening Risk Environment”

David Owen, a partner at cybersecurity and privacy at Deloitte Australia , warns that the risk environment is worsening – that is, there are more ways to be compromised.

Directors need to understand how breaches occur, Owen points out. For Example, gemäß to the recent FireEye M-Trends 2017 cybersecurity report , the first attack entry by a threat the occurs three months before its detection. This provides a significant window of time to an attacker to move. This is why directors must act to report breaches to those who may be harmed by them; the damage may have been done a long time before directors become aware of it.

It can be difficult to get involved in an organization. “It’s a challenge to have good metrics to use to get a sense of what’s going on with the rest of the market,” Owen says.

Diligent Boards provides the highest level of security

Protection against attacks and threat detection are intrinsic part of Diligent Boards.

Diligent BoardsDiligent Messages and Diligent Evaluations . Data is hosted on secure servers and a world-class infrastructure that is diligent owns and operates. All of Diligent’s solutions are ISO and TRUSTe-certified and internationally audited, with robust customizable encryption and data access. If a device is lost or compromised, our remote wiping capabilities will allow you to swiftly mitigate risk.

For more information on Diligent Boards, you can request a demonstration .

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog