Legal framework for Australian Data Breach & Cyber Security
澳大利亚隐私原则
1988 年隐私法 (Cth) 有 13 项澳大利亚隐私原则 (APP) 规定了实体管理个人信息的义务。
从整体上遵守 APP 将降低发生数据泄露的风险。这是因为APP确保在个人信息的收集、存储、使用、披露、销毁等个人信息处理阶段降低或消除隐私风险。
什么是数据泄露?
当实体持有的个人信息受到未经授权的访问或披露或丢失时,就会发生数据泄露。
个人信息是关于已识别个人或可合理识别的个人的信息。 数据泄露可能由恶意行为、人为错误或信息处理或安全系统故障引起。
数据泄露示例:
-
物理设备(如笔记本电脑和存储设备)或包含个人信息的纸质记录丢失或被盗
-
员工未经授权访问个人信息
-
由于“人为错误”而无意中泄露个人信息,例如将电子邮件发送给错误的人
-
由于身份验证程序不充分而将个人的个人信息泄露给诈骗者
数据泄露造成的伤害示例:
-
金融欺诈,包括未经授权的信用卡交易或信用欺诈
-
身份盗窃造成经济损失或情感和心理伤害
-
家庭暴力
-
身体伤害或恐吓
应通报数据泄露 (NDB) 方案
NDB 计划的主要目的是确保在个人信息涉及可能导致严重伤害的数据泄露时通知个人。
通知个人和专员有关“合格数据泄露”的实体。
当满足以下条件时,就会发生符合条件的数据泄露:
-
实体持有的个人信息遭到未经授权的访问或披露(或信息在可能发生未经授权的访问或披露的情况下丢失)。
-
这可能会对与信息相关的任何个人造成严重伤害。
-
该实体无法通过补救措施预防可能造成严重伤害的风险。
其他义务
除《隐私法》中包含的与个人信息保护和应对数据泄露相关的义务外,实体可能还有其他义务。
对于影响某些类别信息的数据泄露,可能存在其他强制或自愿报告计划。 实体可能会考虑将某些泄露报告给:
-
该实体的金融服务提供商
-
警察或执法机构
-
澳大利亚证券与投资委员会 (ASIC)
-
澳大利亚审慎监管局 (APRA)
-
澳大利亚税务局 (ATO)
-
澳大利亚交易报告和分析中心 (AUSTRAC)
-
澳大利亚网络安全中心 (ACSC)
-
澳大利亚数字健康机构 (ADHA)
-
卫生署
-
州或领地隐私和信息专员
-
专业协会和监管机构
-
保险供应商
数据泄露响应计划
数据泄露响应计划是一个框架,它规定了管理数据泄露所涉及的角色和责任。简而言之,它是实体在发生数据泄露时应采取的步骤。
数据泄露响应计划必须采用书面形式,以确保清楚地了解发生数据泄露时需要发生什么。 必须定期审查行为和测试响应计划,以确保该计划是最新的以及预计将采取哪些行动。
有一个假设的数据泄露情况和测试响应计划是一个很好的和值得推荐的练习实体应该采取以使该计划更有效。 一个写得很好和管理良好的数据泄露响应计划使实体能够响应快速响应数据泄露并减少各种预期危害。 这最终将降低与处理实体泄露相关的成本。
The Notifiable Data Breaches (NDB) scheme
The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.
the entities to notify individuals and the Commissioner about ‘eligible data breaches’.
An eligible data breach occurs when the following criteria are met:
-
There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
-
This is likely to result in serious harm to any of the individuals to whom the information relates.
-
The entity has been unable to prevent the likely risk of serious harm with remedial action.
What is a data breach?
A data breach occurs when personal information that an entity holds is subject to unauthorized access or disclosure or is lost.
Personal information is information about an identified individual or a reasonably identifiable individual. A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.
Data breach examples:
-
loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
-
unauthorised access to personal information by an employee
-
inadvertent disclosure of personal information due to ‘human error’, for example, an email sent to the wrong person
-
ddisclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
Other obligations
Entities may have other obligations outside of those contained in the Privacy Act that relates to personal information protection and responding to a data breach.
For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. Entities might consider reporting certain breaches to:
-
the entity’s financial services provider
-
police or law enforcement bodies
-
the Australian Securities & Investments Commission (ASIC)
-
the Australian Prudential Regulation Authority (APRA)
-
the Australian Taxation Office (ATO)
-
the Australian Transaction Reports and Analysis Centre (AUSTRAC)
-
the Australian Cyber Security Centre (ACSC)
-
the Australian Digital Health Agency (ADHA)
-
the Department of Health
-
State or Territory Privacy and Information Commissioners
-
professional associations and regulatory bodies
-
insurance providers
USEFUL CONTACTS
-
Australian Government - Australian Signals Directories (ASD).
-
Australian Cyber Security Centre.
-
Office of Australian Information Commissioner.
Australian Cyber Security Centre
Data breach response plan
A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. simply, it is the steps an entity should take if a data breach occurs.
A data breach response plan has to be in writing to ensure to clearly understands what needs to happen in the event of a data breach. Regularly review the conduct and test response plan is a must to ensure the plan is up to date and what actions are expected to follow.
having a hypothetical data breach situation and test response plan is a good and recommendable exercise entity should take for the plan to be more effective. A well written and managed data breach response plan enables an entity to respond quickly to a data breach and reduced various harms expected by responding quickly. this shall eventually reduce the costs associated with dealing with a breach to an entity.
USEFUL CONTACTS
-
Australian Government - Australian Signals Directories (ASD)
-
Australian Cyber Security Centre.
-
Office of Australian Information Commissioner.
A data breach occurs when sensitive or personal information is accessed, disclosed, or exposed to unauthorized individuals.
This can happen accidentally or as a result of a security breach. For instance:
-
Sending an email with personal information to the wrong recipient
-
Hacking into a computer system and stealing personal data
The consequences of a data breach can be far-reaching. Depending on the information involved, it may lead to:
-
Compromised online accounts, including banking accounts
-
Targeted scams using the stolen information
-
Identity theft
In Australia, the Notifiable Data Breaches (NDB) scheme requires organizations to inform individuals if their personal data has been part of a breach that puts them at risk of serious harm. This applies to Australian government agencies, businesses, credit reporting bodies, health service providers, and more.
When notifying about a breach, organizations must also provide recommendations on self-protection
To minimize the impact of a data breach:
-
Limit the personal information shared: Only provide necessary details to organizations.
-
Choose organizations committed to cybersecurity: Be cautious of those with poor security reputations.
-
Avoid password reuse: Unique passwords for different accounts prevent widespread damage if one is compromised.
-
Use strong passwords or passphrases: Consider using a password manager for better management.
Data breach legal team
Address: Wynyard / Martin Place
Level 10, 20 Martin Place Sydney NSW 2000
T: 1300 140 291 / 1300 577 502 / admin@wentworthlaw.com.au
Australian Cyber Security Centre
cybersecurity best practices enhance their online safety and protect sensitive information:
-
Use Strong, Unique Passwords:
-
Create complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.
-
Avoid using easily guessable information like birthdays or common words.
-
Consider using a password manager to securely store and manage your passwords.
-
-
Enable Two-Factor Authentication (2FA):
-
Whenever possible, activate 2FA for your online accounts.
-
2FA adds an extra layer of security by requiring a second form of verification (such as a text message or authentication app) in addition to your password.
-
-
Keep Software Updated:
-
Regularly update your operating system, applications, and antivirus software.
-
Software updates often include security patches that address known vulnerabilities.
-
-
Be Cautious with Email and Links:
-
Think before clicking on links or downloading attachments from unknown or suspicious sources.
-
Be wary of phishing emails that impersonate legitimate organizations to steal your information.
-
-
Secure Your Devices:
-
Install and update antivirus software on all your electronic devices.
-
Use firewalls to protect against unauthorized access.
-
Regularly back up your data to prevent loss in case of a security incident.
-
-
Educate Yourself and Others:
-
Stay informed about the latest cybersecurity threats and trends.
-
Educate family members, colleagues, and friends about safe online practices.
-
Data breach legal team
Address: Wynyard / Martin Place
Level 10, 20 Martin Place Sydney NSW 2000
T: 1300 140 291 / 1300 577 502 / admin@wentworthlaw.com.au