Protecting data is tricky business. Across the world, cyberattacks have become a global epidemic and are becoming increasingly more powerful and harder to stop. Organisations, critical infrastructure and governments are being targeted with timely, sophisticated attacks.
Often, cyberattacks result in the loss of the personal information of individuals. The Australian Cyber Security Centre (ACSC) 2017 Threat Report revealed 47,000 cyber incidents had been identified in the last 12 months, a 15% increase from last year.
As a result, governments around the world have enacted legislation aimed at protecting the rights of individuals who have suffered the loss of their personal information held by third parties. Australia is no different. On 22 February 2018, the Privacy Act 1988 was amended to place mandatory data breach notification obligations on organisations holding personal information.
Briefly, the data breach notification obligation scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. In its first quarterly report on data breach notifications, the Office of the Australian Information Commissioner reported that 63 notifications had been received in the first six weeks of the scheme, this compared to 114 voluntary notifications it had received during the 2016-2017 financial year.
It is critical that if an organisation suspects it has suffered a data breach involving the loss of personal information that it urgently undertakes an assessment to determine whether the breach is an Eligible Data Breach pursuant to the Privacy Act, and then acts in compliance with its notification obligations.
In this article, FTI Consulting’s global cyber experts - Anthony J. Ferrante, Pablo Lopez-Alvarez and Amrit Singh Deo – share perspectives on evolving cybersecurity regulations and how governments and businesses around the world are preparing for the next data breach.
Remember, preparation is key to protecting your data and your organisation. As you read the article ask yourself, “Has my organisation undertaken an information security risk assessment?”; “Are we adequately insured against cyberattacks?”; and “How would we respond to a cyberattack and who could we call for help?”