Quick and Complete Reporting is Critical after Data Loss
Why do businesses need the Breach Reporting Service?
The Breach Reporting Service is a crucial part of responding to a suspected or confirmed data breach of personal information. Laws mandate breach reporting to government agencies, in addition to providing consumer notification. You need this service because CSR will evaluate the incident to determine if reporting is required, complete the reporting on your behalf at no extra charge, and can also provide consumer notifications.
With one phone call, CSR’s experts can alleviate this complex and time-consuming task from your responsibilities, allowing you to focus on your other priorities.
What could happen if I don’t have this service?
Lost trust means lost sales. The fallout from mishandled and/or unreported data breaches has caused many businesses to close their doors. Failure to report an eligible data breach could result in fines up to $2.1 million, as well as civil and criminal actions, including jail time.
Why shouldn’t companies try to do this themselves?
When doing this yourself, the liability rests entirely with you, as well as civil and criminal sanctions, on both federal and state/territory levels. Penalties for missing just one report to authorities could amount to 2000 penalty units (current total is $420,000) or could result in fines up to $2.1 million.
Data privacy and protection laws are always developing and defining the types of personal information that must be protected, and thereby increasing the regulators and industry agencies that require or recommend breach reporting. In short, the learning curve is very steep.
CSR’s trained Certified Information Privacy Professionals (CIPPs) use a proprietary system to evaluate your circumstances against hundreds of rules and regulations to determine whether reports need to be filed and whether individuals and other entities must be notified.
About the CSR Breach Reporting Service™
What is the CSR Breach Reporting Service™?
CSR’s team of in-house privacy professionals use a patented, award-winning service to fulfill your mandated requirements to comply with federal, state/territory and other laws to report an eligible data breach to regulatory authorities and to notify affected individuals.
What number do I call if I think I have a breach of personal information?
In the event you believe you may have a breach of personal information call 1800 069 293.
What if I’m not sure whether I have lost data?
In the event you believe you may have lost personal information, it is possible this incident can be considered a reportable data breach, call 1800 069 293.
What are the hours of your service?
The operators are available every day of the year for you to call. An answering service will direct your call to a Certified Privacy Professional who will review your case in detail prior to providing you with a breach determination on reportability.
How does this service work?
It’s a simple process. If your company’s personal information is suspected (or confirmed) of being lost, stolen or compromised:
- You call the toll-free number: 1800 069 293.
- A CSR privacy professional conducts an interview necessary to collect your incident details.
- Your CSR privacy professional, using our proprietary system, will:
- Determine if reports must be filed with government and regulatory authorities; and
- Determine if notifications must be sent to affected individuals.
- The CSR expert review panel confirms the decision.
- CSR completes the reporting and provides you with documented confirmation of every entity reported to on your behalf.
- If notification is required to affected individuals, CSR will inform you, and upon your confirmation and input, can provide consumer notification services.
How do I sign-up?
You are automatically enrolled. To learn more about data protection and breach reporting, go to our BRS page.
Is this breach insurance?
This is not breach insurance. The Breach Reporting Service is not an insurance product. It is a service to provide breach reporting and notification. Insurance provides payment in case of loss.
Will you notify individuals or provide other post-breach services?
Yes, privacy experts will work with you to notify individuals. You can contact the privacy team for additional services separately. Contact us for further information.
Will this service make my company’s breach public?
No, your information will not be made public by CSR. Your information is used solely for the purpose of completing the services offered under the CSR Breach Reporting Service. Your information may be shared in instances of requirement by enforcement authorities or a court order.
Requirements to Protect Data and Breach Reporting
What is personal information?
The simple answer is, it’s anything that can be used (alone or in combination) to identify an individual. Examples of personal information include name, address, phone, email, birth dates, tax file numbers, driver’s license, financial information, pictures, fingerprints, login credentials, and the list continues.
Personal information also includes opinions or information that can allow a person to infer or form an opinion about an identifiable individual. This could include employee reviews, student records, purchasing histories, web browser histories, driving records, etc. Note, per the Australian Privacy Act of 1988, information held by an entity does not have to be true to qualify as personal information. Also, personal information handled by healthcare service providers under the My Health Records Act, can be considered personal health information and are accompanied by additional requirements.
What is the difference between PCI and personal information?
Payment Card Industry (PCI) data is just one type of personal information. The PCI Data Security Standard is a means of protecting credit cardholder data, such as debit or credit card numbers, expiration dates and card security codes.
If you’re a business owner or operator and you accept, process, transmit or store cardholder data, then you’re required to comply with PCI Security Standards to ensure a secure payment card environment. PCI compliance is expected of all Australian business, irrespective of their size.
What is an eligible data breach of personal information?
While applicable jurisdictions and regulated industry sector definitions may vary, the Australian Privacy Act considers an eligible data breach to be: unauthorised access to or unauthorized disclosure of personal information or a loss of personal information an entity holds that could reasonably result in serious harm to any of the individuals to whom the information relates, and the entity is unable to prevent the likely risk of serious harm with remedial action.
What is data breach reporting?
When a breach occurs, the clock starts ticking toward deadlines to comply with federal, state/territory and other laws to report the incident to regulatory authorities. Reporting involves the who, where and how of the incident.
To whom do you need to report a breach?
Who you need to report to in the event of an eligible data breach may depend on multiple factors including where you are located, what kind of personal information was involved in the breach, and the location of the affected individuals whose personal information may have compromised. It can also depend on what kind of entity you are, (such as public or private), if you are contracted to a government agency, if you qualify as an APP or are a TFN recipient, and other factors. Over 100 jurisdictions have separate data protection laws.
What is the notification to affected individuals?
The Australian Privacy Act requires that an eligible data breach is reported and accompanied by notifications of the breach to affected individuals. Other consumer notification requirements may apply depending on where the affected individuals are located. For instance, if an Australian organisation deals with mostly European customers, their consumer notification requirements may include European privacy laws (i.e. the General Data Protection Regulation and individual countries).
What are some examples of a breach?
A breach can occur in many ways, including through lost laptops or smart phones, improper disposal of paper records, or intrusion into your network or PC by hackers (i.e., email phishing, malware, spyware). The definition continues to expand.
What laws govern personal information?
Here are a few examples of the laws and regulations that relate to the protection of personal information and agencies to which you may report your incident:
- Australian Privacy Act 1988, (Privacy Amendment – Notifiable Data Breaches 2017)
- My Health Records Act
- Payment Card Industry Data Security Standard (PCI-DSS)
- International laws
What enforcement agencies and other bodies might be involved after a breach?
Enforcement officials include various national, state/territory specific regulatory agencies and commissioners. Here are a few examples:
- State or Territory Privacy and Information Commissioners
- Australian Securities & Investments Commission (ASIC)
- Australian Prudential Regulation Authority (APRA)
- Australian Taxation Office (ATO)
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Australian Cyber Security Centre (ACSC)
- Australian Digital Health Agency (ADHA)
- Department of Health
What if personal information shared and/or received from another organisation is compromised?
Organisations are expected to establish clear practices and/or procedures for complying with the privacy laws and the Notifiable Data Breach scheme. Therefore, your company agreements with other organisations should include clear obligations for which an entity will perform reporting of a suspected or confirmed data breach and the process for conducting a suspected data breach assessment.
In absence of these contractual requirements, please note, if you are aware of or suspect a data breach, and you or another entity does not report the breach, this is a violation of the Australian Privacy Act of 1988.
What if personal information under my care is encrypted, redacted, or masked?
If you handle personal information, you must consider how your business will protect this information during the stages of its lifecycle.
Even if the information is encrypted, redacted, or masked, various regulations still require you to report. If it is encrypted, and the encryption key has been potentially compromised, reporting and notification can still be required in many cases.
Who is CSR?
CSR Professional Services, Inc. is a leading provider of award-winning data life cycle management and expert services for businesses domestically and around the globe.
CSR enables compliance with Personal Information Principles requirements while facilitating best practices to reduce the business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of personal information, sensitive information, commercially confidential information and data.
How many companies use this service?
Thousands of businesses around the globe have enrolled in CSR Breach Reporting Service.
What qualifications do these “experts” have to collect this information and file reports?
CSR privacy experts have all received, and must maintain, one or more certifications from the International Association of Privacy Professionals (IAPP). Specialties vary from several regions around the globe, including Europe, Asia, Canada, United States, and more. Many of our experts also have sector-specific certifications such as the CIPT for Certified Information Privacy Technology and the CIPM for Certified Information Privacy Manager. In addition, all of our CIPMs have achieved a Fellow of Information Privacy (FIP) which is only awarded after years of proven dedication and experience in information privacy.
Can you help me with other privacy services?
Other services include personal information privacy compliance analysis, remediation, audit, education, special projects and consultation. If you would like further information, email firstname.lastname@example.org.
Can you send me some information?
You can go to our BRS page to read more about protecting personal information.