There are some obvious business axioms. Make more money than you spend. Pay your bills on time. And don’t make it easy for your data to be stolen. That last one comes with all sorts of obvious damage. If you are the victim of a data breach your reputation can take a hit. And with the introduction of new breach notification laws in February 2018, your bottom line could also take a beating, too.

The new laws compel companies to report data breaches involving Personally Identifiable Information (PII) to the Australian Privacy and Information Commissioner within 30 days of the breach being detected. This includes personal details including health records, credit reporting information, credit eligibility information, and tax file number information. That report needs to include the identity of the breached organisation, a description of the breach, the kind of information concerned, and recommendations to the individual as to steps to take in response to the breach. If your intellectual property is stolen there's no need to report – you'll probably have other problems to solve if that happens.

Notifying the Privacy Commissioner might not automatically lumber you with a fine unless they determine that a breach was avoidable or if a breached company is a repeat offender. This should be cold comfort, at best. The laws apply to all companies that turn over more than $3M as well as government agencies and those that handle health data (regardless of turnover).

As to the penalties - the Federal Court or Federal Circuit Court of Australia can levy fines of $360,000 for individuals and $1,800,000 for companies if the Commissioner refers the case and your company is found to be in breach of the laws. This has interesting implications for Line of Business leadership. The Government is slowly but surely putting companies on notice that data security is a organisation-wide priority, and not the sole responsibility of IT teams.

If your team handles PII customer data regularly, you’re more exposed than ever. If you don’t know how that data is accessed, where it is accessed from, who is gaining that access and why, you’re at risk. If you haven’t put appropriate measures in place to ensure you are informed and can quickly act on any irregularities, you’re in the firing line. The exposure isn't dependant on whether or not your teams contributed to a data breach or not. If you are in the business of customer retention, customer contact and marketing, your teams will likely bear the brunt of responding to the fall-out.

Customer loyalty can be tested following a breach. We took the time to run some analysis on annual reports from one of Australia’s largest electricity retailers. This showed that a customer churn of just 17,500, or 0.5% of their total customer pool, would represent $1.75M of lost revenue with about $250,000 needed in additional marketing costs to recover the lost customers. And that is a conservative estimate.

So what should you do? Start by understanding the issues and being able to ask the right questions. Data Migrators can help you do that. If you are interested in an obligation-free briefing and assessment to help you identify where your departmental/functional exposures may exist and what could be done about it, contact Data Migrators using the form below, or call us on +61 1300 328264 .