Business Cyber Security delivered via Cloud
Free Call:
Email:
Company Address:
116 Gawler Place
Adelaide SA 5000
Postal Address:
PO Box 1235,
Glenelg South SA 5044
Copyright © 2024 | Magnetic Alliance Cyber Pty Ltd | Designed by Magnetic Alliance
Do you know your legal and ethical obligations if your business experiences a cyber attack?
A cyber attack can be devastating for a business. In fact, 22% of small businesses in Australia don’t survive a ransomware attack.
In addition to direct financial costs, companies can experience employee stress, brand damage, and weeks of lost productivity time.
Moreover, Australian business owners also have legal requirements they must adhere to and ethical obligations they must consider.
Who is accountable for a cyber attack?
Cyber security is not just an IT responsibility. It requires input from management teams, HR, communications, IT teams, legal counsel, and any relevant department – or employee – impacted.
In the event a company experiences a cyber attack, it is the business owner and/or board of directors that could be held liable. Further, it is the responsibility of the business owner/s to ensure the company complies with the legal requirement set out by the Australian Government.
Thus, it is imperative the responsibility for ensuring the company has ample cyber security is considered at a governance level.
What are my legal requirements if my business experiences a cyber attack?
PLEASE NOTE: Jam Cyber strongly recommends all business owners obtain their owner independent advice regarding their legal requirements in the event of a cyber attack.
Under Australian Law there are different legal requirements pending the type of attack. Here are the current requirements (please note, these may be subject to change as laws are updated)
What is classified as a data breach?
The Office of the Australian Information Commissioner (OAIC) has outlined what they consider a data breach. It includes:
Includes employees who access sensitive or confidential files without authority and/or unauthorised external third-party access (via hacking, social engineering, or espionage).
Includes intentional data stealing and publishing by employees and/or external hackers as well as accidental publishing of confidential information by employees.
In the instance a company user account has been hacked (via phishing, social engineering etc.) by an internal or external person.
Includes employees who accidentally put company data at risk when devices are lost or stolen. Note: if the device is secure via Multi-factor MFA and there is no possibility a third party can access the company files, then this risk is mitigated, and the loss of devices does not automatically become a data breach.
Data breaches can be small and accidental or catastrophic. The best way to avoid a data breach is to implement a cyber security framework.
FIND OUT MORE
If your company experiences a Notifiable Data Breach, you may be required to legally notify the OAIC.
What is a Notifiable Data Breach?
The OAIC has implemented a Notifiable Data Breach (NDB) Scheme which requires certain businesses to notify the government when a breach occurs. Companies that are eligible for the scheme are required to notify the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Jump to ‘Determine my entity status’
Serious harm may include (but is not limited to) financial fraud, identity theft, physical harm and/or activity that leads to emotional distress. For example, a hacker obtains personal details, usernames, and passwords of customers or employees. This would enable them to commit identity fraud and potentially steal money from victims.
For more details about the NDB Scheme, please see: https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
What are my ethical responsibilities?
There is a difference between your legal requirements and your ethical responsibilities when it comes to a data breach. The OAIC provides clear guidelines of exactly what needs to be reported and to who. But should you inform people even when you are not required to?
Whilst each case may be different, Jam Cyber believes that business owners should always inform clients when their data has been compromised – regardless of if they are required to or not.
When it comes to ransomware, we recommend notifying the government of the attack so they can better fund and protect other businesses. You can make your voluntary report here: https://www.cyber.gov.au/acsc/report
What can I do to prepare and protect my business?
Whilst Jam Cyber does not offer advice regarding individual business legal requirements, we have created a checklist for business owners to review and consider.
1. Determine your ‘entity status’
OAIC has slightly different requirements for different size businesses and those in specific industries. In short, any business earning more than $3million annually, or that has existing obligations under the privacy act, is legally required to provide notification to the OAIC in the event of a data breach where personal information is concerned. To review if your organisation is included in this scheme visit: https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme#entities-covered-by-the-ndb-scheme
2. Prepare your Data Breach Policy and Response Plan
Your Data Breach Policy and Response Plan should include both how to identify a data breach and how the company will respond in the event of a breach. We recommend also including a communication table to ensure you know who is responsible for communicating what message.
3. Prepare Data Breach Notification Templates
In addition to notifying the OAIC, your business may be required to contact individual employees and customers if their data has been compromised. Having ready-to-go templates in place will ensure you can communicate swiftly to victims and the appropriate authorities.
Need Cyber Security Templates? View our Cyber Security Policies and Procedures
4. Educate your team
Training your employees is one of the best things you can do to prevent cyber attacks. Most cyber breaches are the result of human/employee error. By upskilling employees, you may be protecting them and your customers. Find out more about training your team.
5. Implement a cyber security framework
Every company should have a cyber security framework in place to maximise protection and mitigate damages. The framework should include policies and procedures, systems and tools and employee training. You can view our cyber security framework here.
Want to know if your business is protected? Take our free cyber risk report today.
Need to know more about cybersecurity?
Check out our website https://jamcyber.com/
Check out our blog https://jamcyber.com/blog/
#JamCyber #CyberCEO
You may also be interested in:
What is Cyber Security?
What are the ACSC Essential 8?
What is Ransomware?
What is Multifactor Authentication?
What are Administrative Privileges?
What is Application Hardening?
What are Man-in-the-Middle Attacks?
Check out our YouTube channel: Jam Cyber – YouTube Channel
Related Posts:
How and Why to Block HTM/HTML Attachments in Outlook 365
How and Why to Block HTM/HTML Attachments in Outlook 365 Microsoft Outlook 365 is one of the most popular business
Building a Positive Cyber Security Culture
Building a Positive Cyber Security Culture A successful cyber security culture starts at the top. We often hear the term
Understanding Administrative Privileges: A Guide for Small Business Owners
Understanding Administrative Privileges: A Guide for Small Business Owners What Are Administrative Privileges? Administrative privileges on computers, simply put, are
Fake Invoice Scams: How to Protect Your Business & Your Customers
Fake Invoice Scams: How to Protect Your Business & Your Customers Fake invoice scams involve the unauthorised sending of invoices
Recent Posts
Categories