Securing your Web Site with HTTPS to build trust with your audience.

Chrome web browser is now marking all HTTP sites as “not secure”.

 

 

 

 

 

 

 

 

Chrome used to display a neutral information icon, but starting with version 68, the browser will warn users with an extra notification in the address bar. Chrome currently marks HTTPS-encrypted sites with a green lock icon and “Secure” sign.

Google has been nudging users away from unencrypted sites for years, but this is the most forceful nudge yet. Google search began down-ranking unencrypted sites in 2015, and the following year, the Chrome team instituted a similar warning for unencrypted password fields.

The Chrome team said the change was mostly brought on by increased HTTPS adoption. Eighty-one of the top 100 sites on the web default to HTTPS, and a strong majority of Chrome traffic is already encrypted.

If your website is not currently defaulting to “https://” or cannot be viewed via “https://”,
then we can help.

For further information, please get in touch.

Phone: 1300 705 062

Email: Sales@abtechnologies.com.au

 

Cyber Safety at Tax Time

It’s tax time and the common scam email informing that you’re eligible for a tax refund is doing the rounds again!

Scammers are becoming more sophisticated, so sometimes it can be hard to know whether a message is really from the ATO or a scam.

In 2017, the ATO received over 81,000 reports of scams with $2.3 million reported lost and almost 10,000 people divulging personal information.

Australian Government Releases Warning about Current Tax Scam Email

The email, which has the subject line ‘Important information regarding your account’, includes the myGov logo and claims to be from the myGov team. Instead, the email is a phishing scam designed to steal your personal and financial information.

 

 

 

 

 

 

 

 

 

 

 

The form asks for your name and contact details, your myGov password and your credit card number.  After you supply this information and click the ‘Continue’ button, you’ll be automatically redirected to the myGov website. By then it’s too late and the scammer has your details.

 

 

 

 

 

 

 

 

 

 

 

 

The scammers use this information to commit credit card fraud and identity theft.

If you receive an email like this one, do not click any links or open any attachments.

Remember: the ATO and myGov will NEVER send an email or SMS asking you to click on a link and provide login, personal or financial information, download a file or open an attachment.

Tips for Staying Safe

Know the status of your tax affairs. If you are aware of the details of any debts owed, refunds due and lodgements outstanding, you are less likely to fall victim to a scam.

Here are some simple steps you can take to avoid an email scam:

Tax Tips Infographic

Where to go for more information

Why Upgrade and Finance your New IT Infrastructure

Whether it is to keep pace with modern technology, to accommodate growth, or most importantly, improving your business’s security, the reality of undertaking a business venture is that from time to time you will be required to put money into what essentially runs your business; your IT infrastructure. Although this may require investment, staying put with your current setup can actually become more costly in the long run.

The quickest way to determine if it is time to upgrade; if you’ve gone 3+ years without making any IT infrastructure updates, then it’s time.

IT products and solutions that have provided a foundation for small businesses 2 years ago are often not adequate to offer full protection against current threats

Signs you need to upgrade your IT Infrastructure

Continued use of IT infrastructure after its manufacturer’s warranty has expired is arguably the greatest danger you can introduce to your organisation’s business continuity. Since a server “serves” all other computers on your network, if it is not operational, all affected employees are suddenly taking a very expensive coffee break.

Additional factors that go against continued use of an out-of-warranty server included reduced security and increasing problems with compatibility. The life-cycle of a server should be directly tied to its manufacturer’s warranty.

Have you experienced any of the below factors?

  1. Your system was breached: The biggest warning sign of all is experiencing a security breach. If your system experiences a breach in any shape or form, your team needs to immediately review your infrastructure’s security. Even the smallest email phishing scam can reveal big problems with your company’s security measures.
  2. You don’t have enough storage space: If your employees are receiving ‘insufficient storage space’ messages, your infrastructure needs to be re-evaluated. Regardless of if it’s their computers or the company cloud, running out of storage has unfortunate repercussions for productivity. Not only does it prevent your employees saving the documents they require, but it can also result in your systems running slowly due to the system over-load.
  3. Your employees are all using different hardware: When employees join your team at different times, they may end up using different hardware. However, having inconsistent IT in your company leads to a multitude of issues. Compatibility issues can arise with software and documents, as well as control and management issues.
  4. You Don’t Have Hybrid Data Backups: Cybercrime will cost businesses worldwide more than $2 trillion by 2019, according to a Juniper Research study. Counter to what many small business owners believe, having a small business will not protect them from cybercriminals. The only guarantee against data loss and excessive downtime – is having your data both backed up and readily accessible.  For modern business, the new minimum standard is a data backups management solution that is both on- and off-premise.
  5. Your IT Solutions Cost Too Much Time and Money Many businesses take a fix-it-now-and-deal-with-it-later approach when dealing with their IT issues. However, using this method will cost you more money in the long run. Implementing a solution that lets you manage your IT assets as a cohesive system can improve the performance of your IT infrastructure.
  1. Your applications are super slow If the company’s applications are running slowly, your employees can’t work to their full potential. This can happen for a number of reasons, including low storage space, inefficient software, or malware on your hardware. Regardless of the reason, long loading times slow down your operation, making this is a huge warning sign you need to upgrade your system.

If your company has experienced any of the above, then your company may not meet the minimum requirements to keep your company efficient and secure.

Risks involved if you do not upgrade your Infrastructure

Consider business downtime to recover, the potential for extended downtime, and the overall increased risk to business continuity. In the case of disaster, consider the cost to your business if your systems go down for 48 to 72 hours, and the effect on your business obligations. Can your business afford these risks?

IT Infrastructures are at a greater risk of cyber-attacks without proper System support services. Machines with Windows XP & other outdated Windows Server Licencing are no longer supported by Microsoft. Without critical Windows security updates, IT Systems are vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage business data and information. Antivirus software will also not be able to fully protect you once a Windows OS itself is left unsupported.

Outdated IT Infrastructures may not meet the minimum requirements for implementing Advanced Threat Protection Services and Security Solutions.

Whilst we do not know what the future will bring for your business, ensuring your IT infrastructure is as prepared as possible will ensure growth can always be on the agenda. New technologies bring a variety of benefits to your business, will help you meet the demands of your market, avoid downtime and save money.

How can I finance my IT Infrastructure?

We understand that investing in your IT can become a costly venture. If you’re going to invest in new IT infrastructure, consider the future. Where do you see your business in five years? Do not be afraid to be optimistic; it can serve you well. Getting the bare minimum to meet your needs now may cost you in the long run.

More and more clients are finding that using a Finance company to fund their new IT Hardware is a quick and seamless process, removing the burden of paying large upfront costs that can vary from $40K to $100K+.

One option we can provide our clients is to ‘lease their hardware’. Just like leasing a car, you make monthly payments and at the end of your contract, you can choose to buy or swap it out for a new one. It is, of course, more expensive to lease than buy your own, but for businesses who cannot afford the upfront costs of an upgrade, it can make the cost more manageable.

Benefits of Financing your Hardware

  • Optimise Cash flow
  • Reduce costs, improve return on investment (ROI)
  • Qualifies for off Balance Sheet reporting
  • Simple accounting as an operating expense
  • Preserves Working Capital
  • No residual liability
  • Flexibility to upgrade to new Technology at any time
  • Flexibility to add on options or components as required.
  • Flexibility
  • Preserves Cash and Credit Lines
  • Operating Expense
  • Preserves working cash
  • Improves and facilitates Implementation
  • Turns IT into an operating expense

To find out more about the benefits of financing your IT Upgrade click here.

If you are interested in upgrading your current IT infrastructure and increasing your business continuity, please give us a call to discuss your finance options.

P: 1300 705 062

E: sales@abtechnologies.com.au

 

 

Why You Should Ensure Your IT Infrastructure Is Compliant

As you are all aware in February of this year, the Notifiable Data Breaches Scheme commenced in Australia. You as an entity now have the obligation of reporting when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

With the ongoing issues of Data Security and Cybercrime, the European Union has just released their own Data Protection Policy: the General Data Protection Regulation, also referred to as GDPR. This regulation ensures there is one set of data protection rules for all companies operating in the EU, wherever they are based. The most important aspect of these new laws is ensuring your own Company Data is protected and secure. With new threats emerging every day, the risks of not securing your network is more dangerous than ever, especially for companies. Verizon stated that 61 percent of breach victims in 2017 were businesses with under 1,000 employees.

With security and compliance an integral aspect of all companies, in recent months we have been contacting you by either email or phone to discuss your IT infrastructure. Please take these calls and Security Audit notices with serious consideration. If you receive tickets that our technicians are investigating excessive log-in attempts, and request a security audit – please do so. With businesses falling victim to a ransomware attack every 14 seconds, there is no time to waste. We as your Managed Services Provider are doing our best to make sure your company is safe & secure against all threats; however, we need your cooperation to do so.

There’s no question that the situation with cybercrime is incredibly serious. It is not a matter of if you will get targeted, it is when. Products and solutions that have provided a foundation for a small business’s IT 2 years ago are often not adequate to offer full protection against these current threats.

There is no single solution that will fully protect your business, and some businesses may not be able to implement all the recommendations to be fully compliant. Our aim is to provide the required information and recommendations necessary for the business owner to make an educated decision on security and business continuity.

Below are the top 10 minimum requirements for all businesses to consider for increased security:

  1. Enterprise Grade firewall with Advanced Threat Protection for on premise data.
  2. Implementation of VPN for remote access into the business.
  3. Ensure on premise data is backed up to dual destinations, including one off-site.
  4. Implement Advanced Threat Protection on all incoming emails to protect against malicious links.
  5. Migrated emails to Office 365 where possible to reduce the risk of downtime
  6. Ensure all server Hardware is in warranty and all software assurance is maintained
  7. Ensure Office 365 is backed up , including Mail Archiving.
  8. Understand the business continuity plan and time to recovery (virtualisation, live backups)
  9. Draft a Business Disaster Recovery Plan.
  10. Undertake Regular Network and Security Audits including passwords changes.

We want to ensure your company IT infrastructure if as secure as possible. If you would like to discuss your security options further, please contact us sooner rather than later.

P: 1300 705 062

E: sales@abtechnologies.com.au

 

The Dangers of Phishing – Help Employees avoid the Cybercrime trap

To help you be more informed and proactively educate your employees on phishing attacks, we have curated this blog and e-book. In this blog and e-book you will learn the most common types of phishing attacks, how to spot them, tips to protect your company and educate your employees.

What is Phishing?

Phishing is an email that impersonates a legitimate, trusted sender with the goal of collecting sensitive data such as financial data or login passwords. Phishing emails typically contain a malicious link or attachment that install malware or link to a malicious website that lures users into providing information that can later be used for identity or data theft.

Phishing emails are sent to very large numbers of recipients, usually at random, with the expectation that only a small percentage will respond.

Why Phishing is Important

Phishing is an extremely common form of email attack. It is particularly dangerous because it relies on human behaviour. For example, a phishing email might claim that the user’s bank account is overdrawn and require the user to create a login account to access the fake bank website. Since people often use the same password for multiple accounts, the attacker can use the password supplied by the user to try to get into other real accounts owned by that user.

The most commonly reported scams to the ACCC (Australia Competition and Consumer Commission) in 2017 were phishing, reports to the ACCC indicated these scam types all increased in reported losses which surpassed $4.6 million in 2017.

However, the true cost of these kinds of scams are often not felt right away as the scammer’s primary aim is to obtain personal and banking information for future use.

Types of Phishing Scams

1. Deceptive Phishing

What it is: The most common type of phishing scam, deceptive phishing refers to any attack by which the attacker impersonates a legitimate company in an attempt to steal your personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.

For Example: Scammers claiming to be from a Bank might send out an attack email instructing you that your account has been frozen unless you click on the link provided and enter your account information.

2. Spear Phishing

What it is: Spear Phishing attacks are a personalised way for hackers to target you. Unlike phishing, which are sent in mass to target any user, spear phishing emails target a single person. Criminals select an individual target within an organisation, customize an email inclusive of your name, position, company, and work phone number, gathering this information through social media platforms and other public information. Their goal is to make you think they have a connection, which will lure you into clicking on a malicious URL or open an email attachment.

For Example: A spear phishing email may appear to come from organization’s HR department asking you to verify your benefits policy information.

3. CEO Fraud

What it is: CEO Fraud is when the attacker has successfully spear phished a CEO or other top executive of the company, and they have managed to steal his or her login credentials.

For Example: The attacker then sends an email from the CEO’s account, or creates a new domain name that is off by one letter or number and duplicates the CEO’s credentials, and requests that employee performs a wire transfer of funds to a financial institution of their choice.

These types of attacks rarely set off typical spam traps because they’re not mass emailed – the victims are carefully targeted by the attacker.

4. Pharming

What it is: While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to a fake version of a legitimate website you are trying to visit. This is done by infecting your computer with malware which causes you to be redirected to the fake site, even if you type the real address or click on your bookmarked link.

For Example: Office 365 Phishing

Emails can contain links that open a phishing page hosted on a compromised WordPress site. The scammers behind this attack have set up their phishing page to look like an Office 365 sign in portal.

The objective of the scam is to harvest victim’s login credentials when they sign into the fake portal.

How to spot a Phishing Attack

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tips to Protect your Business & Educate your Employees

  • Educate all employees and raise awareness of the dangers of Spear Phishing through training.

 

 

 

 

  • Keep your system and programs updated. Install (and use all the features of) a reliable security solution, including vulnerability scanning, patch management, and advanced malware detection.
  • Users need to be cautious and aware of all websites they are accessing, ensuring they are mindful of what files they are opening on corporate computers and devices.
  • Companies need to avoid listing employee names on their company website.
  • All employees need to be aware that Company data and information is an extremely valuable commodity on the cybercriminal market.
  • Users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
  • Companies should consider amending their financial policies so that no one can authorise a financial transaction via email.

Take Action to Defend Your Business

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.

Head to our webpage to download your Sentinel Data Sheet.

Traditional Email Security Solutions are not Enough

Spear phishing emails are highly personalized. They also happen in a much smaller volume than traditional spam or phishing, and typically they do not contain malicious attachments or links. Because of this, they very difficult to detect using existing email security solutions that rely on volume, rules, or heuristic-based detections. Instead, spear phishers engage in real human conversation with the victim. The messages are very compelling social engineering attacks that ultimately give instructions within the body of an otherwise clean email, making them virtually undetectable with traditional solutions.

Phishing attacks can be enormously costly and destructive, and new scams are appearing every day. Don’t wait until it happens to your business; take action to protect your company from financial and reputational damage, now. Effective cybersecurity requires a multi-layered strategy.

You will significantly reduce the risk of malicious email entering your network. Please contact one of our team members today about your company’s cybersecurity needs.

p: 1300 705 062

e: sales@abtechnologies.com.au

Alliance Business Technologies is Proud to Announce…

ABTechnologies is proud to announce that in May this year we have been awarded two ‘Top Performing Partners for 2018’ awards.

‘Cloud Market Place Partner of the Year’ for Australia at the 2018 Cloud Summit in Florida, USA, and ‘Growth Partner of the Year’ as well as ‘Technical Excellence’ at the Barracuda Networks Awards.

Our Operations Manager, Troy Radloff, flew to the United States to accept the award on behalf of ABTechnologies. The annual awards spotlight Ingram Micro channel partners worldwide who have exhibited a high level of innovation, advocacy, performance and sales success with Ingram Micro and the Ingram Micro Cloud Marketplace. Ingram Micro Cloud identified channel partners who have demonstrated an unparalleled commitment to reinventing the customer experience in the connected economy and driving new cloud capabilities through the Cloud Marketplace. These partners have all demonstrated the ability to help end users transform digitally using cloud technologies. Other criteria used to determine this elite group included overall cloud business growth, peer-to-peer leadership, and level of engagement and alignment with Ingram Micro.

Three of our team members attended Barracuda Networks ‘Big Fish’ Event along with several other Barracuda partners. This is the first year we have attended the event and were honoured to receive three awards. One which we are particularly proud of is our award for Technical Excellence, this award is based on the quantity of achieved technical certifications for the year. We would not have been able to achieve any of these awards without the dedication from our team, and would like to take this opportunity to thank them.

We look forward to achieving more goals as the year goes on.

 

 

 

Privacy Awareness Week 2018

We are proud to be a supporter of this year’s Privacy Awareness Week (PAW).

This PAW is all about promoting privacy as part of everyday business. Running from 13 to 19 May, the
theme ‘Privacy: from principles to practice’ focuses on the need for organisations to develop and reassess
systems, processes, culture, and practice to make sure the protection of customers’ personal information
comes first.

Your privacy and personal information is valuable to us, which is why we are a PAW 2018 supporter. To
help you understand how we handle personal information, read our privacy policy here: http://www.abtechnologies.com.au/privacy-policy/

You can get involved in PAW by discussing privacy and taking steps to handle your personal information
with care. Here are a few quick tips you can use today:

1. Read the privacy policy of any new app or website where you enter personal information
2. Use passwords with a combination of letters and numbers, which aren’t easy to guess that are over
eight characters
3. Check the privacy settings on your social media profiles and change them to your preferences
4. Respect other people’s privacy – ask for permission to post images or videos where they are
identifiable
5. Check for the padlock symbol and “https” at the start of a URL – this indicates that the website is
secure.

Disaster Recovery: Why Define your RPO and RTO

While it is nearly impossible to predict what the next disaster will be, it is easy to prepare for, especially if you have an effective business continuity plan.

The first step towards having a secure and available business environment is determining your Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO and RTO are both essential elements of business continuity; however, they have some critical differences.

Recovery Time Objective (RTO)

Your RTO is the target time you set for recovery and restoration of your IT and business activities after a disaster. Typically, this is defined by how much downtime you can afford before your business suffers. It can include:

  • Time to discover and fix the problem
  • Time to recover data from backups
  • Time to restore your data and systems

The goal of your RTO is to calculate how quickly you can recover when disaster strikes. Establishing your RTO ensures that the disaster recovery strategy you have in place will meet these needs during a disaster.

The shorter your RTO is, the larger your disaster recovery investment is likely to be.

Important factors to determine RTO include: The amount of downtime your business can absorb, how much revenue is lost while you rebuild your IT environment, and what you’ll need to recover to get your business back up and running.

Recovery Point Objective (RPO)

RPO is focused on data and your company’s loss tolerance in relation to this data. RPO is determined by looking at the time between data backups and the amount of data that could be lost in between backups.

Imagine you’re writing a lengthy essay on a computer that you know will crash, but at an unexpected point in time. How often would you feel the need to save your work? The length of time between saves determines how much work you will lose, and how much time it will take to recover that lost work. This time becomes your RPO, and is the indicator of how often you need to back up your data.

The same applies for a disaster affecting your IT systems. Therefore your RPO is the shortest time you should let pass between backups. If you find that your business can survive three to four days in between backups, then the RPO would be three days.

Important factors for RPO include: How often important data changes at your organisation, how often backups will be run, and how much space you have available to store the backups.

What is the main difference between RTO and RPO?

The main difference between these two metrics is their purpose. RTO is generally large scale, looking at your entire business. Whereas RPO is focused on your company’s data and your overall resilience to the loss of it.

When a disaster strikes your company, every second is valuable. Contact us today to discuss how our business continuity systems and solutions can help your business.

For more information about determining your RPO and RTO per application and data set, contact us today at 1300 705 062.

How to recognize phishing email messages, links, or phone calls

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

What does a phishing email message look like?

Here is an example of what a phishing scam in an email message might look like.

  • Spelling and bad grammar.Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam. For more information, see Email and web scams: How to help protect yourself.
  • Beware of links in email.If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.

Links might also lead you to .exe files. These kinds of file are known to spread malicious software.

  • Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
  • Spoofing popular websites or companies.Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. For more information, see Avoid scams that use the Microsoft name fraudulently.

Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered.

Beware of phishing phone calls

Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Once they’ve gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.

Treat all unsolicited phone calls with scepticism. Do not provide any personal information.

Schedule a meeting with ABTechnologies to discuss developing a strategy that provides real business IT security.

Source: Microsoft

 

Notifiable Data Breaches Scheme

A consolidated guide about the Data breach preparation and response —

The OAIC has released a guide titled Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (Privacy Act). Find this guide here.

This guide consolidates the information provided in the Data breach notification — A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016, and the resources published to assist entities in complying with the Notifiable Data Breaches (NDB) scheme.

In addition to outlining the key requirements relating to data breaches in the Privacy Act, including personal information security requirements and the obligations of the Notifiable Data Breaches scheme, the guide covers other key considerations in developing a robust data breach response strategy. This includes key steps to take when a breach occurs, the capabilities of staff, and governance processes.

Privacy Impact Assessment eLearning Course —

We have listed below new resources including an online course, which takes approximately 1 hour, and a list of FAQ’s, to be referred to in conjunction with all previous content.

This eLearning program complements the OAIC’s Guide to undertaking privacy impact assessments, and aims to give you information on conducting a PIA in an easy-to-understand format so that you can have the confidence to do a PIA in your organisation or agency.

What is the Notifiable Data Breaches Scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result, require notification.

When does the notification obligation arise?

The amended Privacy Act will require APP Entities to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies). Relevantly:

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
  • serious harm will be likely if such harm is “more probable than not” having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).

How to Notify:

This notification obligation will involve at least a two-step process. First, the APP Entity must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC (ABTechnologies will prepare this on your behalf). The APP Entity (Your Company) must then take steps to notify the affected individuals (staff, customers, etc.). The actual steps required will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the APP Entity and individual.

The notification to affected individuals and the OAIC must include the following information:

  • The identity and contact details of the organisation.
  • A description of the data breach
  • The kinds of information concerned and;
  • Recommendations about the steps individuals should take in response to the data breach.

If an APP Entity only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the APP Entity will be required by the new legislation to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days. Importantly, shutting one’s eyes will not allow APP Entities to avoid the requirements of the Privacy Act.
For full guide on notifying individuals about an eligible data breach: Who to notify and how to notify them in the instance of a data breach.

Exceptions to the data breach notification requirement

Various exemptions to the notification requirement will be included in the amended legislation.
Perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach.
This exemption demonstrates the value of early detection and action. Importantly, the ability of a company to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation’s preparedness for such an occurrence.
In order to be properly prepared, it is likely that a prudent organisation will have in place detailed policies and procedures which outline the steps that are to be taken in response to a serious data breach, regardless of whether that breach has occurred as a result of inadvertence on the part of the organisation and its employees (eg. as a result of personal information being lost) or following a co-ordinated attack by hackers.

Penalties:

A failure to comply with the notification obligations will fall under the Privacy Act’s existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.

What should you do?

  • Sign up to the OAIC newsletter. This will ensure you are updated with the most recent information and resources.
  • Audit your current information security processes and procedures to ensure they are adequate (prevention will soon be much more palatable than the cure); and
  • Prepare a data breach response plan (or update your current plan) to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach.

The OAIC currently operates a voluntary data breach notification scheme and has published various resources to assist APP Entities with their handling of data breaches. Much of that guidance will assist APP Entities in ensuring that they comply with the mandatory data breach notification scheme and it is expected that the OAIC will release new or updated guidance over the coming months.

However, further steps are likely to be necessary in order to ensure that your organisation understands the impact of the scheme and to make the necessary preparations for its introduction.

As the Australian Government releases more information, we will be sure to keep you updated. Please follow our social media pages & contact us if you have any further queries.