Data Breach Reporting

Mandatory data breach reporting is already reality in Australia for large corporations. And from 1st March, 2018 this regime is being extended to cover all health providers (regardless of size) as well as SME businesses with revenues exceeding $3M per year.

Under mandatory data breach reporting you are legally required to report any data breach that is likely to have an adverse impact on your customers. You must notify all affected customers as well as the Office of the Australian Information Commissioner.

Failure to comply with the mandatory data breach reporting regime attracts the potential for substantial fines.

Data breach is becoming a serious problem, with organized crime gangs profiting from identity theft, sale of credit card numbers, or the disclosure of personal information etc. No organization handling the personal information of its clients is immune from this risk and the mandatory reporting regime aims to ensure transparency so that individuals can take necessary corrective action such as changing passwords, cancelling credit cards etc. Consumers and business customers are also increasingly aware of their rights to privacy and this leads to many organisations closing-down within six months of serious data breach.

To comply with your legal requirements effectively requires a 3 step process:

  1. You need to be aware that a breach has taken place,
  2. You need to be able to qualify what information might have been effected by the breach, and
  3. You need to notify any customers who may be adversely affected as a result of the breach.

Some of these steps can be implemented systemically by using controls like intrusion detection systems. But once a breach has been identified you also need to determine what potential damage has been done, and this will require human intervention and review.

Of course, the best approach is to minimize the risk of breach in the first place, or to have controls that limit the impact of breach when it occurs. That is where tools like unified threat management and active threat response come in.

Gamut Group can assist you with all of these tools and services. While we cannot guarantee that a breach of your systems will never occur, we can help to reduce the likelihood and impact of such events. We also provide assurance that you have implemented best-practice data protection procedures which can go along way toward rebuilding customer trust.