Is your RE business subject to Australian privacy laws? Do you operate a residential tenancy database? Are you prepared for the new data breach laws?
On 22 February, the new Notifiable Data Breaches (NDB) scheme takes effect across Australia. The NDB requires all organisations covered by the Privacy Act 1988 to notify the Australian Information Officer and individuals likely to be at risk of serious harm of any data breach. (FYI: If your business processes the personal data of EU citizens, from May you’ll also be subject to the General Data Protection Regulation — and it carries a fine of up to €20 million for non-compliance.)
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure; for example, when:
• a device containing customers’ personal information is lost or stolen
• a database containing personal information is hacked
• personal information is mistakenly provided to the wrong person
While most small businesses (those turning over less than $3 million per annum) are exempt from the NDB scheme, any business operating a residential tenancy database is subject to the new requirements.
Failure to comply can result in a range of consequences like public apologies and compensation payments, and for serious breaches or repeat offenders, civil penalties. Civil penalties are currently $360,000 for individuals and $1.8 million for bodies corporate.
Regardless whether you are subject to the new requirements or not, practically every RE business holds (and is required to retain for a long time), and in the case of property management share, private information such as:
• dates of birth
• email addresses
• postal addresses
• current and previous home/rental addresses
• driver’s license/passport details or other ID like Medicare numbers
• employment details
• financial/bank account details
• credit records
• info about building management systems such as access codes, CCTV, lighting and door locks (for commercial property managers)
Agents and property managers need to be particularly careful when storing — and disposing of — these records.
The fact is, personal information is big business and the criminal element is always keen to get their hands on that information so they can make money or mischief. Identity theft is on the rise, as is financial fraud, and agents hold just the sort of confidential, personally identifiable information that the criminals need to perpetuate these crimes.
The bottom line is that it’s imperative for RE professionals to have sound data protection protocols in place as all businesses, large and small, run the risk of being targeted by cyber criminals (hacks, phishing, malware, ransomware) and accidentally exposing data.
Data breaches can have serious ramifications for your business — financial, operational, legal, reputational — making risk mitigation a necessity. Policies, procedures and protocols to help keep data safe include:
• Training staff on best practice data protection (passwords; network security; portable device security; recognising cyber risks such as spam, scam, phishing emails, etc.) and handling confidential/private information (including their responsibilities and obligations)
• Installing and updating security software (firewall, anti-virus and anti-spyware) and patches on all devices (including employee BYO devices which are a leading source of breaches)
• Securing your networks, including Wi-Fi
• Ensuring all data is encrypted, especially on portable devices such as laptops and smartphones
• Backing up data
• Having a cyber attack response plan
You can also help safeguard your business with Cyber Liability insurance cover. As the cyber crime landscape is constantly changing, the covers available are also constantly evolving. Dealing with an insurance broker that understands the risks a RE business faces will also help ensure that you get the right cyber policy for your business and that you understand your obligations so you don’t get caught out (for example, in order to be covered, a policy is likely to require that security software is installed and all patches are up to date).