Many of us have been on the receiving end of spam calls from the ‘tax office’ or perhaps been the recipient of fake text messages advising us that our ‘parcel is ready for collection’. We know all too well that one false click can lead to a virus. But let’s go further and reflect on the clinic or practice you work at. What would your team do in the event of a cyber attack?
Notify those who need to know
The all important starting point is to notify those who need to know. You must notify your clients if your system is hacked, attacked or compromised in any way. If you don’t do this, you risk facing significant fines for non-compliance. The general idea behind this zero-tolerance approach is that once your clients are notified it empowers them to take necessary steps to protect their identity. Whereas if you don’t tell them, you restrict their opportunity to take these steps.
Timing is crucial. The longer you wait, the higher the likelihood that your clients may learn about this attack from another source, which can really damage your clinic’s reputation.
This all falls within the broader context of the Notifiable Data Breaches Scheme (NBD), which came into effect on 22 February 2018 and it pays to be familiar with this scheme. As previously stated, its rules apply to all agencies and organisations that are covered by the Australian Privacy Act 1988 (Cth). Regardless of turnover, the Privacy Act covers any business that is:
- a health service provider
- trading in personal information
- a contractor that provides services under a Commonwealth contract
- an operator of a residential tenancy database
- a credit reporting body.
What the NDB says
When a data breach occurs, the NDB states that your priority as a business is to contain the breach and take remedial action. If your corrective action fails to mitigate the risk of serious harm, you must notify the Commissioner and the affected individuals.