The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into being recently.
The newly-passed law means organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach. The legislation considers a serious breach to have occurred when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved. Any organisation that is accountable to the Privacy Act will be required to inform the Australian Information Commissioner and members of the public if their data has been compromised.
BEGIN WITH THE END IN MIND.
For those organisations that have not had a breach yet – Step 4 is a good one to review. Step 4 provides the guidelines to follow IF you have breached information. Don’t be a victim – be proactive and reduce the risk of being fined $1.8 million due to a trusted insider breaching your organisation’s data.
Data Breach Notification: A Guide to Handling Personal Information Security Breaches
Step 4: Prevent future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, agencies and organisations need to take the time to investigate the cause and consider whether to review the existing prevention plan or, if there is no plan in place, develop one.
A prevention plan should suggest actions that are proportionate to the significance of the breach, and whether it was a systemic breach or an isolated event.
This plan may include: a review of employee selection and training practices
What Cleard.life found disconcerting is that the published Privacy Guides recommend that only AFTER a breach occurred (Step 4), your organisation “might” consider “reviewing employee selection practices”. Update: Jan 2020. The Privacy Commissioner recently REMOVED the “employee selection” action, although it is now a mandatory to suitability screen personnel in the public sector!
If the source of the breach was identified as a staff member, or contractor – a trusted insider – your customers, the Privacy Commissioner and the community at large, will be asking:
- What, you don’t vet staff in any substantial way (a referee check or police check is sufficient now-a-days)?
- What, you never asked about their unintentional or intentional security breaches in the past?
- What, you never asked about their illegal drugs, alcohol or gambling situation which made them vulnerable to coercion?
- What, you never asked about their untreated mental health condition which made them seriously unreliable?
- What, you never thought to question the string of obvious illegal acts, which didn’t show up on the Police check?
Trusted Insiders turn Malicious
Malicious insiders are trusted employees and contractors who deliberately and wilfully breach their duty to maintain the security of privileged information, techniques, technology, assets or premises.
“Trusted Insiders” contribute to a significant portion of breaches, and businesses ought to have a strong personnel security regime – at the “entrance” of the company — which includes a solid trusted insider management program that checks a person’s Honesty, Trustworthiness, Tolerance, Maturity, Loyalty and Resilience – inside the shortlist/selection process. Not only will it assist you to comply with Australian Standards for pre-employment screening, it also sets the tone for the Business-As-Usual security awareness culture of your organisation.
Organisations don’t come to Cleard.life because they just want to buy a background check, or even a pre-employment qualification. They come to us because they need to solve a personnel security challenge – such as PSPF compliance, assurance or to mitigate Privacy Act breach risks.
With us, they find solutions.
Contact us today on (02) 61-71-41-71 or firstname.lastname@example.org or find out more www.cleard.life.
Or start your first Free Assessment today www.cleard.life/join
Q. Do you do background checks on key personnel of your third parties? Your organisation may need to consider the implications of the new legislation in relation to outsourcing and other arrangements with third parties who hold personal information for your organisation. Any checks must constitute more than adding a clause into your NDA or Deed, agreement or contract. eg. “The 3rd party warrants that neither it or its Personnel have been convicted of an offence under the Criminal Code.” Manage your Third Party risks well. We can help in this area – here.