Responding-to-data-breaches

Responding to data breaches

John Bennett ||
Part 4 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches
Overview of the Notifiable Data Breaches Scheme

Australia has had a mandatory data breach notification scheme since 22 February 2018 (Notifiable Data Breaches Scheme). The rationale for this scheme is that:[1]

“…if an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.”

Application and requirements

The Notifiable Data Breaches Scheme only applies if there is an ‘eligible data breach’. Businesses aren’t obliged to notify every data breach. Indeed, the Turnbull Government considered that it was inappropriate to notify minor breaches because of the administrative burden, notification fatigue for individuals, and the lack of utility where notification doesn’t facilitate harm mitigation.[2]

An individual is deemed to be at risk from an eligible data breach in two circumstances:[3]

  1. There is unauthorised access to, or unauthorised disclosure of the information. From this, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to individuals to whom the information relates.
  2. The information is lost in circumstances where unauthorised access to or unauthorised disclosure of the information is likely to occur. On the assumption that were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to individuals to whom the information relates.

If there is an eligible data breach, then the business must give the Information Commissioner a statement as soon as practicable after becoming aware of the eligible data breach.[4] The business must also notify the individuals to whom the relevant information relates or who are at risk from the eligible data breach of the contents of the statement.[5] The business must publish the statement on its website or take reasonable steps to publicise the contents of the statement if there is no website.[6] The statement must set out:[7]

  • the business’ identity and contact details;
  • a description of the eligible data breach that the business has reasonable grounds to believe has happened;
  • the particular kinds of information concerned; and,
  • recommendations about the steps individuals should take in response.
Businesses only need to notify if serious harm is likely

There is only an eligible data breach if ‘serious harm’ is ‘likely’. The word ‘likely’ means the risk of serious harm to an individual is more probable than not.[8] The intended threshold for ‘serious harm’ includes serious physical, psychological, emotional, economic, financial and reputational harm.[9] An individual’s mere distress or upset at unauthorised access to personal information is not necessarily ‘serious harm’.[10]

Save notification by immediately eliminating the serious harm risk

The Notifiable Data Breaches Scheme provides businesses with the opportunity to take immediate action to eliminate the risk of serious harm. If the action is successful then there is no obligation for the business to report the data breach.[11]

No requirement to notify suspected eligible data breaches

The trigger for the notification requirements is that there are reasonable grounds to believe that there has been an eligible data breach. However, if the business only has reasonable grounds to suspect a serious breach, the legislation obliges the business to move quickly to resolve the suspicion by assessing whether an eligible data breach has occurred.[12] The notification requirements come back into play if the assessment reveals an eligible data breach. The expected timeframe for the assessment is 30-days.[13]

Data breach response plans

All businesses should have an up-to-date data breach response plan. These plans enable businesses to respond quickly to the data breach, and can substantially reduce impacts of the breach, costs and potential reputational damage. Plans help meet Privacy Act obligations, limit the consequences of the data breach, and build trust with your stakeholders.[14]

Responding to data breaches

Generally, there are four key steps to follow when responding:

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks.
  3. Notify individuals and the Office of the Australian Information Commissioner if required.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

However, the response will typically vary on a case-by-case basis. Depending on the breach, not all steps may be necessary or could be combined. Additional steps may be required too.

Avenging data breaches

Along with referring breaches to the Australian Federal Police for criminal investigation, businesses should consider seeking damages through civil litigation when their data has been unlawfully accessed. For example, civil torts such as trespass, nuisance and conversion may be available. There may also be scope to claim under the Australian Consumer Law for misleading or deceptive conduct.

Read Part 1, Part 2 and Part 3

For more information, please contact Coleman Greig’s Privacy and Data Protection lawyers.

 

[1] Commonwealth, Parliamentary Debates, House of Representatives, 19 October 2016, 2430 (Michael Keenan, Minister for Justice).

[2] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 4 [11].

[3] Privacy Act 1988 (Cth) s 26WE.

[4] Privacy Act 1988 (Cth) s 26WK.

[5] Privacy Act 1988 (Cth) s 26WL.

[6] Privacy Act 1988 (Cth) s 26WL.

[7] Privacy Act 1988 (Cth) s 26WK.

[8] OAIC, Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (July 2019).

[9] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 3-4 [9]-[10].

[10] Ibid.

[11] Privacy Act 1988 (Cth) s 26WF.

[12] Privacy Act 1988 (Cth) s 26WH.

[13] Privacy Act 1988 (Cth) s 26WH.

[14] OAIC, Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (July 2019) 13.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

The business impacts from the Government’s new cyber security laws

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230