The Notifiable Data Breaches Scheme

Posted on January 30, 2018 by ATB Chartered Accountants

It is expected that the Notifiable Data Breaches (NDB) scheme will come into effect from 23 February 2018, which means that businesses will need to comply with new data breach notification obligations.

Breaches in cyber security can cause long term damage to your business, not only to data, systems and hardware but also to your business reputation. ATB Director, Michael Mekhitarian says “it’s worthwhile to invest in good cyber security processes and systems”.

What does the new Notifiable Data Breach scheme mean?

The NDB scheme has been set up to regulate notification of data breaches in Australia. It requires specific actions to be taken when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

Organisations that have had their data breached will need to notify their customers as well as the Office of the Australian Information Commissioner (OAIC), as soon as they are aware of the breach.

“It would be very uncomfortable to tell your clients that your data has been breached, that other people have got their information – so this is a big deal.”

Internet security

Why have this legislation?

Due to the growth of the digital age and the large amounts of personal information being collected and stored online, the legislation aims to proactively protect the data of individuals.

It also aims to provide steps to protect individuals whose information has been compromised.

Who does the law apply to?

The new law applies to all government agencies and organisations governed by the Privacy Act. (e.g. Many private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million.)

Michael advises “The government is now mandating that a business with a $3 million turnover, is required to notify all of their clients, if they have security breach.”

The Privacy Act also extends to some types of businesses with an annual turnover of less than $3 million, so it’s best to check with your tax professional if you’re affected.

Cyber security attack

What is a data breach?

A data breach is where there has been unauthorised access to or disclosure of, personal information, usually with the intent to cause harm.

There are numerous threats to your business, including encryption, phishing, identity fraud, backdoor attacks and credit card fraud. Michael discusses some of these threats in his article “Cyber Security and Your Business Systems”.

Which data breaches require notification?

The scheme only applies to ‘eligible data breaches’. These are data breaches that are likely to result in serious harm to any individual affected.

Organisations must conduct their own assessment of the suspected data breach and determine if it is likely to meet the criteria of an ‘eligible data breach’ and as a result require notification.

What happens in the event of an “eligible data breach”?

If an organisation believes an ‘eligible data breach’ has occurred, they must notify all their clients as a matter of priority.

Organisations must advise:-

  •   the identity and contact details of the organisation
  •   a description of the data breach
  •   the kinds of information concerned
  •   any recommendations about the steps individuals should take in response to the data breach

The organisation will also need to notify the Australian Information Commissioner of the suspected breach, using their Notifiable Data Breach statement — Form.

What penalties apply?

The good news is that the aim of this legislation is to protect businesses who are proactive in their efforts to deal with data breaches.

However, some penalties do apply, such as public apologies and large compensation payouts. There is also the risk to the reputation of the business and the associated cost.

Cyber Security

Are your accounting systems secure?

Organisations should act now to ensure their cyber security systems are in place, in order reduce the risk of data breaches and protect the personal information of their customers.

Michael gives you some tips on how to effectively minimise your risk in his article: “Cyber Security and Your Business Systems”.

Review your systems…now!

If you’re not sure your accounting systems are up to scratch, contact ATB Chartered Accountants, we can review your systems and make the best software recommendations to meet your needs.