Leonard Kleinman gave a rundown of what one could expect when the Privacy Amendment (Notifiable Data Breaches) Act 2017 takes effect, focusing on the security side of things, at a seminar in Melbourne on Tuesday.
His focus on ransomware was understandable, given the fact that this Windows scourge has been in the news more often than not in 2016 and the beginning of this year, culminating in the recent WannaCry attack that threatened to go worldwide until it was nipped in the bud by an accidental act.
Kleinman pointed out that ransomware had a history going back to 1989, when the AIDS trojan, which replaced the AUTOEXEC.BAT file on an MS-DOS machine and attacked the machine itself on the 90th boot.
Given the cyber security environment at the moment, Kleinman said it was necessary to understand the legislation and its obligations, even if a company was not planning to take the necessary steps to plan for it.
Indeed, this was a common theme which was advanced by the other two speakers at the seminar: Helaine Leggat, the director of Information Legal, and Mani Amini, GRC group manager at Content Security, the other firm that was involved in organising the seminar.
(The Office of the Australian Information Commissioner has a rundown of the data breach act here.)
Leggat told iTWire that the legislation itself had been prompted by the fact that Australia trailed behind the rest of the world in data breach law and it had to catch up in order to ensure that people could do business across borders.
"Even New Zealand is ahead of us in this field," she said.
Leggat outlined the changes that the law had brought about to the Privacy Act, highlighting the fact that while there were many exclusions, the penalties would not be light if one was caught.
She told iTWire that the introduction of the law would provide plenty of work for lawyers, with many now advertising themselves as cyber security specialists in what she agreed was a feeding frenzy.
Amini's presentation dealt with privacy readiness assessment: how a company should go about preparing for the legislation if it intended to be fully prepared to deal with it.
In one word, the process will be complicated, and is likely to impose additional costs on businesses that come within the $3 million bracket and are thus covered by the law.
Kleinman told iTWire that there would be many companies who would be providing information about the legislation as a way to attract business.
He said the Melbourne seminar — and two others, held in Sydney and Brisbane — were aimed at tier two companies, as the big firms would have their own experts within their own ranks. And, he added, RSA's take on it was coming from a company that specialised in security.
Breaches of the law as far as failing to notify those affected by a breach will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines.
The Office of the Australian Information Commissioner is currently seeking public comment on entities covered by the NDB scheme; notifying individuals about an eligible data breach; identifying eligible data breaches; and the Australian Information Commissioner’s role in the scheme.
The last date for submitting comments is 14 July.