Starting March 12, 2014, the renewed Australian Privacy Act 1988 will require businesses and government agencies to notify citizens when their data has been stolen or lost, or their privacy has been violated. The Act is applicable to data breaches where there is risk of serious harm. 

“With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded. The laws are good for consumers because they protect privacy, and are good for business because they will help create openness and trust,” said Attorney-General Mark Dreyfus QC in a press release earlier this year.

Dreyfus also said in The Sydney Morning Herald that “Up until now, there has been no legal requirement to notify people when a data breach has occurred. It has been up to the company or government agency to decide if and when to let their clients know that their privacy has been compromised.”

The new legislation dictates that both private and public sector data breaches must be reported to the Office of the Australian Information Commissioner (OAIC), and consumers must be informed so they can take proactive steps to protect their data. To help enforce the legislation, the Privacy Commissioner can impose penalties for a breach of up to $340,000 for individuals and $1.7 million for companies. Now consider that according to the Ponemon Institute’s 2013 Cost of Data Breach study the current average total organisational cost of data breaches in Australia is $4,104,932. The penalties that can be levied under the new Act have the potential to increase the total cost of a breach significantly for an organisation.

Surprisingly though, a McAfee survey showed that many Australian companies are unaware that there are changes or fines for non-compliance with the Act. In fact, 59 per cent of employees responsible for managing the personal information of customers were unaware or unsure of the changes. The research also showed that more than one in five organisations admitted to data breaches, and nearly half of the employees managing customer’s personal information had not received training in managing and storing sensitive data.

How to Prepare for the Changes

In light of the changes, Australian organisations and companies with offices in the country must re-evaluate policies on data governance and review what technologies are in place to help protect confidential data. This includes building policies around the handling of personal data and training staff on new policies and procedures in case of a breach. However, the key to a successful privacy program is to prevent data breaches before they become a problem – both for consumer confidence and financial ramifications. 

This for many organisations can be a significant challenge especially for those that are actively encouraging social collaboration, or using file shares and content management systems like SharePoint. Collaboration is a necessity in today’s business world. The question is how to safely collaborate sensitive data within the guidelines set by the Act and other regulations?

There are some fundamental steps every organisation can take to protect against data breaches and prepare for the new privacy requirements. 

Identify Red Flag Risks

Violations of Privacy Act 1988 are a risk to be avoided, but what data within the organisation needs to be protected and where is it?  Bring together stakeholders such as senior management, heads of communications, human resources and business units to provide assessment of risks and suggest policies required for the organisation. This should cover any personally identifiable information (PII) and/or protected health information (PHI) that would result in a risk of serious harm. 

Also consider data discovery exercises that help identify data that places the organisation at risk.  Many organisations will not be aware of all of the private information that exists within File Shares and content management systems across the organisation.

Establish a Compliance Strategy 

Determine what areas of risk to address and align this with the business strategy. Use stakeholder knowledge to define the compliance strategy for the organisation against the business strategy. At the end of this step, organisations will have clearly defined policies in place to govern the handling of private information in accordance with the Privacy Act. 

Monitor Policy Compliance

It is not just about setting a policy on paper and storing it within the organisation for employees to read and understand. You will be fined regardless of what policy is in place if a breach occurs. The likelihood of each employee applying it to everyday work will be hard to monitor. Policing for compliance with paper-based corporate policies, privacy guidelines and other industry-specific compliance regulations is no simple task. Manual processes for enforcing these policies are not enough. Using established policies, automate as much of the scanning and monitoring of content to identify and prevent any violations. Monitoring will also help you identify which individuals or departments need more training.

Secure Sensitive Content

If a security breach occurs, and the organisation finds out after the fact, the damage has already been done. Reports to the OAIC must be made and expensive fines could result. You will also be required to notify victims of the breach which according to the Ponemon Institute study cost Australian companies an average of $219,986. You will also be risking customer loyalty and brand equity, which on average cost companies $1,957,966 in lost business according to the same study. 

 Consider putting methods in place to secure sensitive content on file shares and intranets like SharePoint by restricting access to, encrypting, tracking and preventing the publishing of the content. Employing data loss prevention technology safeguards sensitive information from both accidental and malicious internal breaches – the two leading culprits.  

Keep Reviewing Compliance and Security Strategies

Laws, industry regulations and best practices are always evolving. Organisations should have a flexible system in place to easily update policies to ensure content remains in compliance with the latest standards. They should also look at and understand how employees are using information and make policy adjustments accordingly.  

The bottom line is Australian organisations need to be prepared for the new regime of data privacy, while still ensuring that data can be accessed and used between the right audiences. Consider an end-t0-end automated compliance and security program to remove some of the vulnerabilities and human diligence required to maintain content security. 

Kurt A. Mueffelmann is president and chief executive officer of HiSoftware.