What HR should know about Australia’s new data breach laws

Is your organisation ready for the incoming data breach notification scheme, applicable from this week? Mike Fleck outlines what HR needs to know

What HR should know about Australia’s new data breach laws

Is your organisation ready for the incoming data breach notification scheme, applicable from this week? Mike Fleck outlines what HR needs to know

HR leaders are involved in or responsible for some of the most private aspects of employees’ work lives. They are expert in compensation and benefits, and manage numerous uncomfortable topics, such as substance abuse, workplace hostility and unethical behaviour. The obligation to secure this information is obvious to HR executives. However, Australia’s new data breach rules formalise this obligation, and there are serious ramifications if organisations fail to comply.

The new legislation
From 22 February 2018, most Australian organisations and agencies with annual turnovers of more than $3m, and holding personally identifiable information (PII), must report all eligible data breaches to the Office of the Australian Information Commissioner and to all affected individuals. Eligible breaches are those that involve personal information and are likely to result in serious harm to the owners of that PII. The OAIC has published a useful guide outlining all the details.

It is important that organisations understand these new obligations, as non-compliance could result in penalties of up to $1.8m. This is before you factor in the other costs of a breach, including operational delays, extensive activities to investigate and remediate a data breach, legal advice and action, brand reputation damage, loss of consumer confidence and loss of business opportunities and revenue.

Data breaches impact employees
Employees and businesses can be disrupted long after a breach is discovered. This is obvious when it is employee data stolen by criminals. However, employees are impacted even if a data breach is unrelated to employee information. While consumers may be comfortable to return to a company soon after a breach, employees may not be so quick to forgive and forget, especially if they perceive there to be substandard privacy and cybersecurity practices. Data breaches also create uncertainty for an organisation if leadership quits, are fired or are reassigned, in response to real or perceived failures. This can lead to anxiety among employees, many of whom may start looking for new jobs elsewhere.

Focus on improved protection for sensitive data
Two problems emerge when trying to comply with the NDB scheme:

  • it can take nearly a year for data breaches to be discovered
  • accurately understanding which individuals were affected by a breach is not easy

On the face of it, improved detection and response are critical to complying with the NDB scheme. However, due to the length of time between a data breach and detection, the affected individuals may experience harm before the organisation detects and assesses the breach. As such, organisations will do better if they focus on making personal data harder to steal.

Be well-versed in data breach risk management practices and cybersecurity
Understand what your organisation is doing to prepare for the new legislation. Be prepared to play a major role in your organisations’ data breach risk management and response to data breach events. To be effective in these activities, ensure you are equipped to do so and empowered by the executive team. HR executives should be helping to drive the requirements for improved data security and data breach response, and involvement and leadership in this area also reinforces the importance of HR’s position at the executive table.

So, HR leaders most certainly have an important role to play in preparing for the new data breach laws and ensuring organisational compliance. With the increasingly high chances that your organisation will experience a data breach at some point, and employee data so sought after by criminals, you should take a proactive approach to securing and protecting data. And, in doing so, be in a stronger position to retain the trust, respect and confidence of employees.

About the author
Mike Fleck is Vice President of Security at Covata, a leading provider of software solutions that protect data and enable secure collaboration. Covata’s data-centric security platform empowers businesses and government to discover, protect and control their sensitive information.