Australia’s new mandatory data breach notification scheme has been tentatively welcomed by digital rights advocates, while new research has found many businesses are not ready or even aware of the landmark regime.
The scheme, which came into effect on Thursday, requires all government agencies and businesses with annual turnover of more than $3 million to notify individuals if a data breach occurs that is likely to cause “serious harm”.
Fines of up to $2.1 million can result if this does not occur.
Electronic Frontiers Australia board member Peter Tonoli said the new scheme is a “positive step” in the right direction.
“EFA believes this legislation will underscore the importance of data privacy. It should improve organisations’ accountability to the people whose private information they collect through the audit and notification requirements this new legislation mandates,” Mr Tonoli told InnovationAus.com.
“Australians have a right to know when there has been a breach of their privacy so that they can take steps to protect themselves and these new measures will help to ensure this becomes a reality.”
But a series of new reports have found that Australian government agencies and businesses are not prepared for the new notification regime.
According to research conducted by Gfk Australia in January for the Canon Business Readiness Index report, 59 per cent of the surveyed affected businesses are not aware of the new data laws, and that 15 per cent of small businesses are “not at all” concerned about a security breach occurring.
The study, which surveyed 400 “key decision makers from the business and IT communities”, also found that only 40 per cent of Australian businesses have implemented six or more of the Australian Signals Directorate’s Essential Eight strategies for mitigating cyber risks.
A similar study, conducted by ACA research for the HP Australia IT Security study found that half of the surveyed SMEs do not think they are ready for the mandatory data breach notification scheme, and only 18 per cent have a compliance policy in place.
It also found that 57 per cent of the companies hadn’t completed any sort of IT security risk assessment in the last year.
The study surveyed 528 Australian businesses with between 10 and 99 employees in November last year.
EFA board member Justin Warren said it was crucial that Australian businesses are aware of their new obligations.
“EFA hopes that the legislation will spur organisations to get better at protecting people’s information generally. Private data can be a liability, not an asset, and more organisations need to take this into account,” Mr Warren said.
“The greatest risk is that many organisations remain ignorant of their responsibilities under the law, and we encourage them to read the excellent resources provided by the Office of the Australian Information Commissioner,” he said.
“Otherwise you risk becoming a cautionary tale for everyone else of how not to do things.”
He said there are also concerns around the vague wording in the scheme, with no set definition for “serious harm”.
“While EFA is concerned that some organisations may attempt to weasel out of their responsibilities by overly narrow definitions of specific words, such as ‘serious harm’ or ‘partner’, we expect that customers will increasingly pressure these organisations to do better,” Mr Warren said.
“Not breaking the law should be the lowest of law bars for them to clear.”
Mr Tonoli added that it is crucial that the Office of the Information Commissioner is given the necessary resources to implement and enforce the new data breach regime.
“To ensure this legislation operates effectively, it will be imperative to ensure that the OAIC is provided with adequate resources to handle the increased workload associated with overseeing this new legislative regime,” he said.