Incoming legislation relating to mandatory notification for data breaches comes into effect from 22 February, 2018. Once in effect, the new regime will require agencies and organisations that are subject to the Privacy Act 1988 to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals in cases where there has been a confirmed ‘eligible data breach’ of personal information.
As it currently stands, organisations holding sensitive information have discretion as to whether they disclose data breaches to affected customers, clients and/or the Privacy Commissioner.
Why is this so important for businesses? The answer lies in all of the client information necessarily stored as part of the everyday running of a company. If accessed by an unauthorised third party, this information could very well result in instances of identity theft, or ‘serious harm’. Accordingly, it is essential that your organisation makes itself familiar with all requirements of the new regime, and that you are ready to respond swiftly and effectively should an eligible data breach occur.
What is an eligible data breach?
An ‘eligible data breach’ occurs when:
- There is unauthorised access to, or disclosure of information;
- Information is lost under circumstances where unauthorised access or disclosure is likely to occur; or,
- A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.
The Commissioner has provided the following examples of eligible data breaches:
- Theft of a device containing a client’s personal information;
- Hacking of a database that contains a client’s personal information; and,
- Where a client’s personal information is mistakenly disclosed to the wrong party.
A real world example of this can be seen in Uber‘s recent data breach saga, where it has been alleged that data belonging to 57 million users was hacked. Instead of addressing the hack, the company paid the hackers $132,000 to delete the information. Had the pending legislation been in effect at the time of the breach, Uber would most likely have faced serious penalties for not disclosing the breach.
What does serious harm mean?
When considering what actually amounts to ‘serious harm’, the Commissioner has suggested that organisations assess any data breaches based on the type of information that was accessed, the level of sensitivity relating to said information, and what the nature of the harm is likely to be to any individuals whose personal information was accessed. The Commissioner has advised that factors including physical, psychological, emotional, economic and financial harm – as well as harm to an individual’s reputation, should be taken into consideration throughout the assessment.
When and how must a notification be prepared?
An organisation has 30 days in which to conduct an assessment to confirm whether a breach is eligible, and to comply with the notice obligations (if required).
The legislation provides that where an ‘eligible data breach‘ of personal information has indeed occurred, the organisation must prepare a notification that includes the following details:
- The contact details of the organisation;
- A description of the data breach that the organisation believes has occurred;
- The kind(s) of information that was subjected to the breach; and,
- Recommended steps that affected individuals should take in response to the breach.
The notification containing the relevant material must be forwarded to the Commissioner as soon as reasonably practicable after the organisation becomes aware of the breach. Where possible, organisations must also notify any individuals potentially at risk as a result of the breach. If it isn’t practicable to do so, the organisation must take reasonable steps to otherwise publicise the notice.
There are some exceptions that can apply under the regime, such as when an organisation that has experienced a data breach takes remedial action after the breach occurs in order to ensure that affected individuals don’t suffer any serious harm. Whether or not this is possible is dependent on the circumstances surrounding the breach, although Coleman Greig advises that organisations keep this in mind as part of their response.
It’s also important to note that failure to comply with the notification regime can potentially result in fines of up to $1.8 million. Accordingly, organisations need to be on alert and well prepared to deal with any and all potential data breaches.
What should you do before 22 February?
- Familiarise yourself with the legislation: The legislation provides extensive guides regarding what should be done if an eligible data breach occurs.
- Review your IT contracts: If you’re using a third party to hold your data, you should make sure that they’re obliged to notify you of any data breach as it occurs and that they cooperate with you in investigating the breach.
- Create an internal response plan: The legislation requires organisations to prepare a notification to the Commissioner as soon as practicable after becoming aware of the eligible data breach having occurred – so ensure that your organisation has a process in place to both assess and respond when a breach does occur.
- Consider which of your clients may collect personal information: As a trusted advisor to your clients, you should ensure that they are sufficiently informed with regard to the new privacy laws, and how they may affect their business.
- Increase security measures/ensure they are up to date: As technology constantly evolves, so do the ways in which your sensitive information can be leaked or disclosed. Coleman Greig suggests using reputable and effective software to protect such data, as well as undertaking relevant upgrades wherever possible.
What else should you be aware of?
The new mandatory regime in respect of data breaches adds yet another layer of compliance and regulatory responsibility for businesses who collect, handle and store client information.
Organisations will of course be familiar with their obligations under the Privacy Act 1988 (Cth) and the Australia Privacy Principles. Additionally, for businesses with systems set up to receive payments from Visa and MasterCard credit or debit cards, regulatory standards such as the Payment Card Industry Data Security Standards (PCI DDS) may also apply.
The introduction of this new regime may be an opportune time for organisations to undertake a review of their internal policies and procedures to ensure that they are complying with their obligations under these regulations, as well as having a response plan in place should a breach, (whether it be data or privacy related) occur.
Does a data breach mean that a breach of confidentiality has occurred?
Organisations should also take note of their obligations with regard to any non-disclosure or confidentiality agreements that they have entered into with their clients or other businesses.
Whilst the OAIC’s new regime will indeed require appropriate notification of any eligible data breaches, an organisation should be aware of exactly what type of information is covered by any confidentiality agreements that they may have entered into – as a leak of information not covered by a confidentiality agreement may not always be defined as a breach of confidentiality (even if an eligible data breach has occurred) and similarly vice versa.
It is therefore important for organisations to conduct a proper assessment of exactly what information has been accessed if a data breach does occur, and then determine what its reporting and notification obligations are under both the OAIC’s regime and any relevant confidentiality agreement.