Computer hacker stealing data from a laptop

Data Breaches Exposing Businesses to New Litigation Risks

Large businesses be warned!  A breach of data will now result in more than a social media backlash and/or loss of reputation.  Obligations to report data breaches are now more stringent, and non-reporting of these breaches may result in huge fines being imposed.  Further to this, individuals whose personal information has been compromised may commence proceedings to recover damages beyond those stipulated in the Privacy Act 1988 (Cth).

Notifiable Data Breach (‘NDB’) Scheme

On 22 February 2018, the NDB Scheme came into force which was established under the Privacy Amendment (Notifiable Data Breaches) Act 2017 and introduced under the Privacy Act 1988 (Cth) (‘Privacy Act’).  It ultimately gave more rights to any individuals affected by data breaches.

The Privacy Act lists the penalties available for those responsible for data breaches, however under this scheme, more damages are available beyond those listed under the Privacy Act.  For businesses with a $3 million annual turnover, the scheme also introduced an obligation to notify both the affected individuals and the OAIC of a data breach which would likely result in serious harm.  The scheme applies to organisations and agencies under the Privacy Act.

Damages only apply to serious breaches causing loss and damage.  Businesses are being warned that this can give affected parties more rights and remedies.  In calculating the damages, feelings of humiliation will also be considered.

It is easy to understandable why the NDB Scheme was introduced.  Large businesses need to appropriately own up to their mistakes and immediately notify their customers of any potential data breaches.  This will in turn allow any and all affected individuals to take appropriate action for recourse, if and when required.

Commbank

The hot topic at the moment surrounding this issue relates to recent conduct of the Commonwealth Bank of Australia (‘CBA’).  Firstly, CBA recently admitted that it had failed to disclose a potential data breach affecting its customers.  In 2016, CBA instructed FujiXerox, now known as FujiFilm to destroy magnetic tape drives containing customer’s financial details.  However, CBA failed to locate any record that the details had in fact been destroyed.  At the time, the new NDB scheme had not been introduced, which meant that CBA had no obligation to disclose the breach to affected individuals when it became apparent that there was a potential breach.  

The bank’s failure to disclose the potential breach of data pertaining to approximately 20 million customer accounts at the time that it occurred has received widespread criticism.   CBA has now sent emails to its customers relating to the May 2016 incident informing them that no personal information had been compromised.  

Unfortunately for CBA, this was not the end of the story.  Only last week the bank confirmed that their staff had inadvertently sent emails that contained data of 10,000 customers to an overseas company.  The staff had sent 651 internal emails to addresses with the domain name “cba.com” rather than the bank’s domain name of “cba.com.au”.  

This time CBA was quick to address the issue, and released a statement on Friday 1 June to the effect:

“We want our customers to know that we are committed to being more transparent about data security and privacy matters…Our investigation confirmed that no customer data has been compromised as a result of this issue.  We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers”

Full credit to CBA for appropriately responding to the incident.  Their statement was timely, concise and in line with their obligations under the new NDB scheme.  

Key takeaways

  • Make sure all your staff know your correct email address!  If it CAN happen to the CBA, it CAN happen to any business;  
  • Be familiar with the NDB Scheme and your obligations as a business;
  • Train your employees about the correct handling of personal information; 
  • Develop polices in line with the NDB Scheme, and seek legal advice to ensure that your business is appropriately compliant;
  • Know what to do when there is a potential data breach, and how this may be handled through social media.

If you would like to receive our regular legal updates, please subscribe here.  Alternatively, should you require any advice relating to data breaches and the NBD Scheme – please don’t hesitate to get in touch with:

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Employers should exercise caution when dismissing during probationary period

Can you dismiss an employee during the probationary period? Yes, but a recent case is a lesson in caution. The recent Federal Court decision of ‘Dabboussy v Australian Federation of Islamic Councils’ is a warning to employers to consider the importance of timing if dismissing an employee during probation.

The business impacts from the Government’s new cyber security laws

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230