Mandatory data breach notification legislation to shift the goalposts for privacy compliance
Mandatory data breach notification legislation will shift the privacy goalposts for Australian companies, EY said.
EY Director Charlie Offer said that legislation introduced into the Parliament today by the Federal Attorney-General Mark Dreyfus meant Australian companies would have to report privacy breaches “that give rise to serious harm” to both the individuals affected as well as the Office of the Australian Information Commissioner.
“This is a significant shift from the current situation where companies are naturally reluctant to disclose a breach or more often, are unaware that a breach has even occurred.”
Mr Offer said the legislation would require a significant policy – and behavioural - shift for most organisations.
“Historically, I believe there has been significant under-reporting of privacy breaches in Australia and companies will run a real risk of sleepwalking into non-compliance if they don’t make the urgent changes required to adequately prepare for the new regime.
“The global experience is that a reportable privacy breach can arise from situations as disparate as a lost or stolen laptop containing customer information to a hack due to state or corporate sponsored espionage - which is far more challenging for a company to detect if it occurs.”
Mr Offer said this announcement increased the impact of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 reforms, already effective from March 2014 which alone signalled a new era in privacy in Australia.
Mr Offer said that for most organisations the changes would be significant, requiring remediation projects to be adequately funded and that this should be considered when organisations are building their budgets for the 2014 financial year.
“The existing privacy reform requirements already meant that all companies need to reconsider how they handle personal data to avoid breaching the rules and risking fines of up to $1.7 million. The new breach notification requirements should add extra urgency to organisation’s attempts to ensure compliance with the new laws.
“To some, these changes might feel like we are playing ‘catch up’ but they are necessary to ensure we continue to keep pace with rapidly changing technology and consumer expectations around the collection, handling and secure storage of personal data,” Mr Offer said.
Mr Offer said that companies should be addressing these three areas immediately:
- Organisations underestimate the extent and nature of personal information they collect and hold. Without a complete and accurate data inventory it is impossible to protect data or to identify when security is breached. The first step of any privacy programme is to identify all personal data currently held and analyse whether the organisation is sufficiently transparent about what they do with the data, confirm that all activities are allowed by law, and vitally, ensure that it is adequately protected.
- Business has also lost a clear line of sight over where data goes. Organisations are increasingly dependent upon partners, vendors, suppliers and outsourcers - as well as third parties’ sub-contractors. Mandatory breach notification requirements make it even more critical that ‘out of sight is not out of mind’ because organisations remain liable for any breaches. Good privacy management includes gaining regular assurance that business partners are complying with requirements.
- In reality, some sort of breach is almost inevitable and too many organisations are failing to adequately prepare for this worst-case scenario. Global experience has shown that how organisations deal with the aftermath of a breach can ‘make or break’ the relationship with a consumer. Smart companies have rehearsed incident management procedures, including breach notification procedures, which can be invoked to reduce the impact and severity of a breach for affected individuals, as well as the organisation itself.
EY is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
EY refers to the global organisation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
This news release has been issued by EY Australia, a member firm of Ernst & Young Global Limited.
Liability limited by a scheme approved under Professional Standards Legislation.
Tel: 03 9655 2620 or 0417 859 323