This week sees a continuing focus in Australia on notifiable data breaches. The regime will be introduced on 22 Feb. 2018.
The OIAC has provided a helpful analysis pointing out that GPs, gyms and childcare centers may all have obligations if they experience data breaches that are likely to cause serious harm under the relevant local legislation. Many of these are smaller businesses that may not have taken steps to comply with the APPs — there is an exemption from compliance with the Privacy Act where organization turnover is less than $3 million annually. However, as these businesses are likely to collect sensitive health information from their clients and members they will need to become compliant. There could also be a heightened risk of noncompliance as many may not have sophisticated systems or good security practices.
The GDPR continues to dominate the news. The May 2018 deadline is fast approaching, and regional businesses are finding new and challenging questions to address. For instance, one article this week looks at the concept of the outsourced Data Protection Officer and another provides a handy matchup between the GDPR and New Zealand’s Privacy Act.
In the broader region there are developments in Singapore with the government signaling that it will be fine-tuning its groundbreaking cybersecurity bill, slated to be introduced in early 2018, in response to public feedback. No longer will there be extensive licensing of cybersecurity service providers to strike a balance between security needs and industry development. Penetration testing and managed SOC monitor service providers will continue be licensed. The bill also formalizes steps to require critical infrastructure providers to secure systems and quickly respond to threats and incidents. The infrastructure includes water, health care, energy and aviation.
On a lighter note, there is a story from New Zealand about the use of Facebook to name and shame a consumer accused of a scam. Unfortunately, it ended in tears for both the business and the would-be scammer.