Changes to Data Breach Legislation and What it Means For You

If you sell or shop online, then chances are you’re well aware of the personal data you are required to submit upon payment – but how secure is your personal information and what happens when your information is at risk of being breached?

PCI legislation has been an increasing concern in the digital sphere, changing the way in which online business owners store and secure shopper’s data. To make it simple, we’re here to inform you on your PCI requirements, changes to data breach notification laws and what happens if you were to experience a data breach.

What is PCI-DSS?

Short for Payment Card Industry Data Security Standard, PCI-DSS (or PCI) refers to a set of measures applicable to all companies who accept credit card payments. If your company is currently accepting card payments and processing, transmitting or dealing with customer cardholder data you must host your data with a provider who is PCI compliant.

Being PCI compliant means adequately adhering to a set of requirements pertaining to security when accepting, processing or storing cardholder data. PCI compliance is mandatory for all Australian businesses regardless of size who are utilising credit or debit card information.

What are the new laws about?

In February 2018, the Australian government enforced a series of data breach notification laws, making it a requirement for businesses to alert the Australian Information Commissioner and all of its clients if they get hacked or if there has been a data breach. Implemented in a bid to minimise the risk and damage of cyber-attacks on both individuals and businesses, these new laws are designed to keep consumers informed of potentially harmful threats that could put their personal or private information at risk.

Under these new laws, businesses who have experienced a breach of data have 30 days to report the incident to the Office of the Australian Information Commissioner and inform all potentially affected clients within their database system.

Does it affect me / my business?

These laws are applicable to all government agencies and organisations governed by the Privacy Act 1988. This includes health service providers, businesses that sell or purchase personal information and credit reporting bodies.

If you’re a business owner with an annual turnover of under three million dollars, you fall outside this legislation and these laws are inapplicable, as they are governed by state government organisations and local councils.

What exactly is a data breach?

A data breach constitutes any action, intentional or otherwise, by a business that results in an individual’s personal information being compromised.

This could occur as a result of information being lost, stolen or leaked to an outside body. Under data breach legislation, this includes personal information, contact details, credit reporting information, credit eligibility information and tax file number information.

What do I need to do if I experience a breach?

If your business has an annual turnover of more than three million dollars and the data breach is likely to result in serious harm to any individuals who have shared their personal or private information with you, you must report this incident to the Office of the Australian Information Commissioner within 30 days. This report will disclose the type of data breach made, the data affected by this breach and how you are going to take steps in rectifying this situation. Failure to report and take affirmative action to rectify can result in a penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

However small businesses are not off the hook. If you’re a business owner with an annual turnover of less than three million dollars, you will still need to take appropriate steps in ensuring damages are contained and to assess any current and potential damages.

How do I protect my business from potential data breaches?

Using a tier-one provider like eWAY is a smart first step in meeting your PCI DSS obligations, ensuring the highest security measures as set by Visa and MasterCard, meaning you can rest assured any personal information is being held to the highest quality standard.

Of course, like anything in the always-evolving world of technology, security measures aren’t set & forget. Check out our PCI Compliance Checklist for more details on making your business PCI compliant.

You have additional PCI DSS obligations which eWAY can help you meet as a part of the Merchant Trust Initiative.