Australia Introduces New Mandatory Data Breach Notification Legislation

By Phil Robson, Pre-Sales Engineer

Globally, data breaches are on the rise and companies are becoming very aware of the damage a breach can have on the reputation of its brand.  Recently Uber admitted to covering up a massive data hack of 57 million users’ accounts, by paying off the people who had stolen the data.  Despite being aware of the breach for quite some time, Uber’s new boss admitted there was a failure to notify affected individuals or regulators.

With the threat level increasing every day and cyber-attacks becoming more sophisticated, governments around the world are finally following in the footsteps of the United States where, in 48 of the 50 states, it is mandatory to notify individuals of security breaches involving personal information.  In the EU, the upcoming General Data Protection Regulation (GDPR) comes in to place in May 2018 and in Australia companies are preparing for similar legislation that is introduced this month.  From the 22nd February 2018, new laws regarding the Notifiable Data Breaches Scheme will come into effect, requiring all businesses in Australia to notify the Office of the Australian Information Commissioner (OAIC) and any impacted clients, about significant data breaches.

So, what do companies in Australia need to know about the new legislation and how will it affect the way that they handle their clients secure data?

> Download Now: Regulatory Compliance for Contact Centres Report <http://info.semafone.com/download-now-enterprise-guide-contact-center-regulations-0>

Australia introduces new mandatory data breach notification legislationThe Basics of Australia’s Notifiable Data Breaches Scheme

Let’s start by looking at who the new law applies to.  As the new legislation is just an amendment to the existing Privacy Act, it applies to any organisation that’s required to keep information secure by the Privacy Act 1988.  This includes Australian government agencies, private sector businesses and not-for-profit organisations with an annual turnover of A$3 million.  Businesses with an annual turnover below A$3 million will not have to comply with the Privacy Act, unless they fall into one of the exceptions for businesses that handle personal information.  Basically, if your organisation collects any personally identifiable information (PII), credit reporting information, or tax data then they are impacted by the new legislation.

Organisations bound by the Privacy Act, must notify the OAIC and affected individuals once it has reasonable grounds to believe that there is a serious data breach. The legislation considers an eligible breach to have occurred when there is unauthorised access to, disclosure or loss of customer information held by an organisation, which generates a real risk of serious harm to individuals involved.  In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. Basically, businesses will need to consider the type of information that has been accessed or disclosed and whether the information can be used in a way that causes serious harm to the individual involved.

If an organisation suspects that a data breach has occurred, it must perform a necessary assessment into the relevant circumstances within 30 days to ascertain whether a breach has actually occurred.  Once an actual breach has been determined, organisations will be required to promptly notify the OAIC and any potentially affected individuals of an eligible data breach.

It’s important that organisations prepare for the introduction of the new legislation and that they have a detailed response plan in place.  Understanding how your organisation will respond to a data breach will result in a better outcome for both the individuals affected by the breach and your organisation.  If organisations comply with all the requirements set out in the new legislation, they won’t be penalised by the OAIC if a breach does occur.  However, failure to comply with the notification obligations can result in a fine of A$360,000 for individuals and A$1.8 million for organisations.

New call-to-action

What Does This Mean for Contact Centres?

With contact centres serving as the hub of all customer outreach, and thereby collecting Personally Identifiable Information (PII) like phone numbers, payment card details, physical and email addresses, even birthdates and healthcare information, organisations operating contact centres will find themselves particularly vulnerable to data breaches.

In fact, in a recent survey of customer service representatives (CSRs) working inside contact centres worldwide, Semafone found that over 70% of CSRs who take payments or collect other PII over the telephone still require customers to share this information out loud – potentially exposing it to the CSR, call recordings, or even nearby eavesdroppers.  Even more startlingly, over 40% of CSRs who reported experiencing or witnessing breach attempts failed to report the situation.

With that in mind, there are a number of measures that contact centres can take to mitigate their risks, and thus avoid becoming penalised by these new measures.

  1. Enforce stringent hiring procedures – With more threats coming from the inside than ever before, it’s essential for businesses to make sure employees are trustworthy and won’t pose a security risk. Every potential employee should pass a background check before beginning their employment.
  2. Provide security training for employees – Cyberattacks are becoming more sophisticated and harder for the average office worker to spot at first glance. For that reason, employees must be trained to distinguish between threats and understand how to report them in order to reduce the risk to the organisation.
  3. Remove customer data from the contact centre entirely – Semafone is fond of the saying, “They can’t hack what you don’t hold!” By refraining from storing sensitive customer data in the first place, organisations can drastically reduce their chances of getting breached. Any piece of customer information not essential for a transaction or for any other legitimate purpose should never be stored.  Solutions like Cardprotect from Semafone are one way to help keep customer data, such as payment card numbers, from ever entering the contact centre infrastructure.

Even though Australia has been lagging behind other countries in relation to data breach notification obligations, and it’s taken some time for them to finally introduce a mandatory breach notification law, they will soon set an example with their legislation for other nations to follow.  Companies in Australia have had a year to prepare for the introduction of this new legislation, so with ample time and proper preparation, most of them should have the adequate policies and procedures in place to meet these new requirements.

Australia Introduces New Mandatory Data Breach Notification Legislation
Semafone