Hire and Rental News - February 2018

24 HIRE AND RENTAL NEWS • FEBRUARY 2018 n March 2012, FBI Director Robert Mueller famously said: “I am convinced there are only two types of companies: those that have been hacked and those that will be.” Many security experts now disagree. They believe the two categories are those that know they have been hacked and those that don’t. Cybercrime is huge business. Juniper research recently predicted the annual global cost of data breaches will increase to USD $2.1 trillion, by 2019. Yes, trillion. As digitalisation increases, so do the risks and impact of a data breach. Most Australian businesses have had to comply with the Privacy Act 1988, for many years now. The Act regulates how personal information is handled. It defines personal information as: "…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable." Common examples of personal information include an individual’s name, address, telephone number, drivers’ licence number and expiry, birthdate; the sort of information that may be recorded as part of a rental agreement, for example. A company required to comply with the Privacy Act must take ‘reasonable steps’ to protect the personal information it holds. This extends to situations where a company engages a third party to store, maintain or process personal information. What steps and strategies may be reasonable to take? The Office of the Australian Information Commissioner (OAIC) makes a number of suggestions under nine broad areas: • Governance, culture and training; • Internal practices, procedures and systems; • ICT (information and communication New Privacy Act amendments By Jason LeGuier, Practice Principal, CustomTec In the most significant change to the Privacy Act since 2014, on 22 February 2018, a Privacy Act amendment comes into force making it mandatory to notify customers of data breaches. All companies with an annual turnover greater than $3m will be required to report eligible data breaches or else face significant penalties. Jason LeGuier from CustomTec explains the changes and consequences. technology) Security; • Access security; • Third party provides (including cloud computing); • Data breaches; • Physical security; • Destruction and de- identification; • Standards. On 22 February, 2018, a new Privacy Act amendment comes into force. For most Australian businesses, this means Data Breach Notifications become mandatory where a breach is determined to be ‘eligible’. This is the most significant change to the Privacy Act since 2014 and dramatically raises the bar for organisations and their leaders in terms of responsibility and accountability. The new law means organisations that identify they have been breached or have lost data, will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of the breach. The notification must include a description of the data breach, the information involved and what steps the customer needs to take to protect themselves from harm. Failure to comply with the new legislation can attract penalties of up to $360,000 for individuals and $1.8 million for organisations. (Interestingly, state government organisations and local councils fall outside the legislation, as do businesses with less than $3 million turnover.) Also in May, the EU’s General Data Protection Regulation (GDPR) also comes into force. This scheme affects companies that have an office in the EU, offer goods/ services in the EU, or store information on individuals from the EU. Such regulatory changes place additional obligations on companies not only to protect personal information, but also to take action in the event of a data breach. The notification alone can be highly damaging to a company’s brand. It is important to understand a breach is not limited to a network being hacked by criminals. In fact, many data breaches can occur in day-to-day operation. Some examples of a data breach include: INDUSTRY in FOCUS I