Data Breaches Exposing Businesses to new Litigation Risks

Data Breaches Exposing Businesses to New Litigation Risks

June 7, 2018

Large businesses be warned! A breach of data will now result in more than a social media backlash and/or loss of reputation. Obligations to report data breaches are now more stringent, and non-reporting of these breaches may result in huge fines being imposed. Further to this, individuals whose personal information has been compromised may commence proceedings to recover damages beyond those stipulated in the Privacy Act 1988 (Cth).

Notifiable Data Breach (‘NDB’) Scheme

On 22 February 2018, the NDB Scheme came into force which was established under the Privacy Amendment (Notifiable Data Breaches) Act 2017 and introduced under the Privacy Act 1988 (Cth) (‘Privacy Act’). It ultimately gave more rights to any individuals affected by data breaches.

The Privacy Act lists the penalties available for those responsible for data breaches, however under this scheme, more damages are available beyond those listed under the Privacy Act. For businesses with a $3 million annual turnover, the scheme also introduced an obligation to notify both the affected individuals and the OAIC of a data breach which would likely result in serious harm. The scheme applies to organisations and agencies under the Privacy Act.

Damages only apply to serious breaches causing loss and damage. Businesses are being warned that this can give affected parties more rights and remedies. In calculating the damages, feelings of humiliation will also be considered.

It is easy to understandable why the NDB Scheme was introduced. Large businesses need to appropriately own up to their mistakes and immediately notify their customers of any potential data breaches. This will in turn allow any and all affected individuals to take appropriate action for recourse, if and when required.

Commbank

The hot topic at the moment surrounding this issue relates to recent conduct of the Commonwealth Bank of Australia (‘CBA’). Firstly, CBA recently admitted that it had failed to disclose a potential data breach affecting its customers. In 2016, CBA instructed FujiXerox, now known as FujiFilm to destroy magnetic tape drives containing customer’s financial details. However, CBA failed to locate any record that the details had in fact been destroyed. At the time, the new NDB scheme had not been introduced, which meant that CBA had no obligation to disclose the breach to affected individuals when it became apparent that there was a potential breach.

The bank’s failure to disclose the potential breach of data pertaining to approximately 20 million customer accounts at the time that it occurred has received widespread criticism. CBA has now sent emails to its customers relating to the May 2016 incident informing them that no personal information had been compromised.

Unfortunately for CBA, this was not the end of the story. Only last week the bank confirmed that their staff had inadvertently sent emails that contained data of 10,000 customers to an overseas company. The staff had sent 651 internal emails to addresses with the domain name “cba.com” rather than the bank’s domain name of “cba.com.au”.

This time CBA was quick to address the issue, and released a statement on Friday 1 June to the effect:

“We want our customers to know that we are committed to being more transparent about data security and privacy matters…Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers”

Full credit to CBA for appropriately responding to the incident. Their statement was timely, concise and in line with their obligations under the new NDB scheme.

Key takeaways

Make sure all your staff know your correct email address! If it CAN happen to the CBA, it CAN happen to any business;
Be familiar with the NDB Scheme and your obligations as a business;
Train your employees about the correct handling of personal information;
Develop polices in line with the NDB Scheme, and seek legal advice to ensure that your business is appropriately compliant;
Know what to do when there is a potential data breach, and how this may be handled through social media.

If you would like to receive our regular legal updates, please subscribe here. Alternatively, should you require any advice relating to data breaches and the NBD Scheme – please don’t hesitate to get in touch with:

TAGS:
Notifiable Data Breach Scheme, OAIC, PRIVACY ACT 1988

Send an enquiry

First name

Surname

Phone number

Email address

Message

Which area of law are you enquiring about?

Preferred office location

How did you hear about us?

Any personal information you provide is collected pursuant to our Privacy Policy.

Author

Big changes ahead for the regulation of building products in NSW

July 12, 2024

All participants in the construction industry need to be aware of imminent changes to the laws regulating building products.

SafeWork NSW releases new strategy to address psychosocial hazards

July 4, 2024

The SafeWork NSW Psychological Health and Safety Strategy 2024-2026 establishes new supports for employers regarding their duties in preventing psychosocial harm in the workplace.

Workplace relations changes effective 1 July 2024

June 28, 2024

As we move into the new financial year, the Fair Work Commission (FWC) have again released their annual update for employment law. Here’s what employers need to know about the changes.

Understanding roles in the strata scheme

June 17, 2024

A strata scheme is a building or group of buildings that have been divided into lots which can be apartments, villas, offices, units or townhouses. This will be articulated in the strata plan.

Can I put my home on Airbnb?

June 11, 2024

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

May 30, 2024

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months? The answer to this question has only recently been settled.

Women wearing denim jacket and man wearing a blue skirt sit together at a table as they look at a laptop screen

How to claim for unapproved variations? Quantum meruit in construction contracts

May 23, 2024

Building contracts establish the relationship between a builder and owner. Often however, changes are made to the scope of work during the course of a project that are not anticipated in the contract.

Draft legislation released for build-to-rent tax concessions

May 16, 2024

In April 2024 the Treasury released draft legislation implementing the ‘Build-to-Rent’ (BTR) tax concessions, which were first announced in the 2023-24 Federal Budget.

Proposed changes to building and construction law in NSW

May 14, 2024

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Paper doll cut outs of a man, woman and two children are on a book lying on a desk. There is a gavel in the background

Family Law amendments in force this week – What you need to know

May 7, 2024

As of 6 May 2024, changes to the Family Law Act 1975 from the Family Law Amendment Act 2023 and the Family Law Amendment (Information Sharing) Act 2023, passed 19 October 2023, are in effect.

Can you dismiss an employee who fails to return to the office?

April 24, 2024

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

April 4, 2024

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.