First off, a data breach is considered notifiable if confidential client information becomes accessible or is lost as a result of a breach of the privacy laws that are likely to cause harm to the affected individuals. This means, if your business experiences a breach, you will need to identify any affected individuals and determine whether or not the breach is likely to cause them any harm. In these circumstances, harm is considered to be anything from identity theft to serious physical, emotional, financial or reputational harm.
Some points to consider when investigating any possible harm include:
However, if you respond to the breach quickly and efficiently, you might be able to prevent serious harm from occurring in the first place. Therefore, your customers won’t need to be notified of the breach. As you can see, it pays to have systems in place so you can get on top of any potential breaches before they cause serious harm.
After you identify a privacy breach, you will have 30 days to investigate it and assess whether or not it will be classed as notifiable.
If it is notifiable, you will need to report it to the Office of the Australian Information Commissioner (OAIC) as soon as you are able to do so. The expectation is that you report it the moment you discover your breach is considered serious. From this point, all affected individuals will then need to be notified shortly after this.
At this stage, your business will be free to deal with possible breaches in any way you see fit, as long as you notify the appropriate parties in accordance with the new mandatory data breach notification laws. To help ensure you remain compliant with these laws, the following steps could prove helpful:
However, one of the biggest things you should do to protect your business is to ensure you have a suitable cyber liability insurance policy in place. This will help protect your business financially in a worst-case scenario type situation.