Mandatory data breach reporting legislation in Australia is lurking and as consumer surveillance awareness grows, data privacy has become a global conversation.
Vormetric country manager, Brian Grant, said the looming legislation in Australia reflects what is already happening around the world and though mandatory data breach reporting is not currently in effect, he urges Australian businesses to adhere to best practice measures regarding data security.
Deloitte privacy and data protection lead, Marta Ganko, also urged best practice compliance to data security.
She said the most popular question businesses ask Deloitte is how they can maximise commercial opportunities from the information that they collect.
“Most organisations have their governance practices down pat. They know the privacy risks. Most organisations are struggling in the compliance only space and often because operationally, staff within organisations do not know their obligations,” Ganko said.
She explained how consumers are becoming increasingly aware of their surveillance and said the time is now to start preparing and putting measures in place before the data breach reporting laws are legitimised.
“Everyone has realised data is money, the more you collect the more you know about customers. But how do you balance that without crossing the creepy line and ensuring that you are doing the right thing by your customers? If you have arrangements with third parties where data is being disclosed, are you confident that you know where the information is and are you telling your customers where it is potentially going?”
Solista co-founder and general manager, Noel Allnutt, raised the question of data responsibility.
He said, “The individual is responsible to at least have a password to lock down data out of duty of care for themselves, but the challenge is that there is so much technology and so much threat, is it fair to ask the individual alone to be fully responsible? How does responsibility sit with business when so much data is freely given?”
According to Grant, best practice standards equates to high levels of data security and separation of duties so no one person within an organisation has control over data. He added that if businesses encrypt their source information to a globally accepted standard, there is a chance the company will not have to report the breach to a privacy commissioner in the event of a cyber-attack.
Under the proposed legislation, businesses have a 30 day period to notify a privacy commissioner. Grant’s advice was not to report immediately.
“You should take time to assess what has happened and get the facts straight. In some cases, you have the ability to request an extension with a privacy commissioner. There is flexibility within the legislation.”
The legislation also upholds that in the event of a data breach, every individual who has potentially been compromised is to be notified.
“There is a caveat that says if it is not practical to call up every single individual, you can publicise it. You should discuss with the privacy commissioner as to how adequate the notification is, whether it is publicised on the business website or in a major newspaper. It depends on where your users are.”
Grant also highlighted that brand reputation is king.
“If you are a CEO of an organisation that has a major data breach there is a pretty good chance that is the last job you will ever have. Brand is king and if you damage the brand in Australia, you damage the brand globally,” he added.