What you need to know about the new data breach legislation. Are you ready?
The Australian Government’s Notifiable Data Breach (NDB) legislation comes into effect today (February 22, 2018) and we are imploring RCSA members to ensure they are compliant.
Under the legislation, a large number of Australian businesses will now be required by law to notify the Office of the Australian Information Commissioner if they suspect or know of any breach of their IT systems allowing illegal and unauthorised access to the personal information of those on their databases.
Breaches must be reported within 30 days of a business becoming aware of a possible breach.
While this legislation applies to businesses with an annual turnover of more than $3 million, RCSA members will likely still need to be legally compliant because of the sheer volume of personal data we collect.
“Despite the ‘small business exemption’ in the Privacy Act, we are taking the view that most RCSA members will be covered because they trade in the supply of personal information,” RCSA's Legal advisor Andrew Wood Hon FRCSA (Life) said.
The RCSA Members’ Code of Conduct requires all members to take reasonable steps to maintain the privacy of information obtained in the course of their professional practice, regardless of whether there is any legal obligation to do so or not.
Under the NDB scheme, a breach is where personal data has been accessed which may put individuals at risk of being the victim of crimes such as identity theft.
In order to be compliant – and to ensure the data of clients and candidates is not breached – we recommend members conduct a full audit of their cyber-security if they have not already done so.
“There is no-one-size-fits-all solution [to cyber-security],” Mr Wood said. “However, the OAIC’s Guide to Developing a Data Breach Response Plan should put you on the right track and contains a useful Data Breach Response Plan Quick Checklist.”
Mark Laudrum, Director of RCSA Insurance, reported that more than 50 per cent of their clients are “actively purchasing cyber insurance to support them for if and when their data is breached”.
“Training and education are the best ways of minimising an agency’s risk of cyber-attack,” Laudrum explained. “The majority of data breaches occur through human error or lack of education about the best firewalls and data security technology; which can be easily breached when a team member opens a malicious file or website link.”
Laudrum warned that the sheer volume of personal data collected by recruitment agencies made them attractive targets for some criminals perpetrating ransom ware attacks.
“We know that cyber threats pose a much greater risk to members than property risks and it is something we discuss with every member,” Laudrum said.
“This ongoing risk awareness is a key contributing factor in the high level of cyber insurance purchasing we have seen in recent months.”
Laudrum said a worst case scenario for a company’s whose systems have been breached would be the loss of all or some of their data and IT systems and databases, including the loss of your accounting and payroll systems, software and websites.
“These threats could halt a business in its tracks, cease any employee payments for weeks as the systems are rebuilt or result in the loss of major contracts by the agency’s failure to place candidates on time,” he said.
“Cyber insurance is not a magic solution but it does offer risk minimisation. Ransomware payments are insurable and may lead to systems being opened up quickly once a ransom has been paid.
“However, if adequate and secure back up procedures are in place, databases and software can be reinstalled from these clean backups, perhaps enabling a business to be up and running again in a few days.”
While the financial damage caused by a cyber-attack can be crippling for a business, the reputational damage of a breach can be far worse causing clients and candidates to question how secure their information is with your company.
Given all of these factors, it simply doesn’t make sense to have not checked your systems, trained your staff and put measures in place to safeguard the personal information on your database and your business.
For RCSA members who would like advice and guidance on the NDB, get in touch with us and we can connect you with the right people.