Dealing with Data Breaches
How to manage data security risks, protect your business and comply with the new legal requirements introduced in February 2018.
Public confidence in data security is at an all-time low. The media constantly reports further examples of businesses being hacked and personal data being lost or stolen.
Are your business systems secure? Is personal information held by your organisation secure?
Do you have processes in place for managing data breaches?
In the event of a data breach, your company’s response will be highly scrutinised. You will be held accountable by the public and under the law. Anonymous hackers cannot be used as the scapegoat. Importantly, you must comply with your new legal obligations under the Notifiable Data Breach Scheme (NDB Scheme), commencing 22 February 2018.
The Prevalence of Data Breaches
Data breaches are becoming increasingly frequent and highly damaging. 10.5 million records were lost or stolen each day worldwide, during the first half of 2017.
Australia has the highest rate of data breaches in the Asia-Pacific region. Late last year, 50,000 Australians and 5,000 federal public servants had sensitive personal information exposed, in one of the nation’s biggest data breaches to date.
In recent years, we’ve seen reports of countless high-profile data breaches worldwide.
Timeline of High-Profile Data Breaches
November 2017: Revelations that Uber had failed to notify users that their personal data had been stolen in October 2016. Hackers had accessed 57 million users’ data.
September 2017: Credit agency Equifax announced that it had lost the personal data, including financial records, of 143 million US customers in a massive hack. There is concern this cyberattack could be replicated in Australia.
October 2016: Half a million Australians had their private medical histories made public when Australian Red Cross Blood Service files were accidentally placed on an unsecured website.
August 2016: Confirmation that the email addresses and passwords of 68 million Dropbox users had been hacked in mid-2012.
May 2016: LinkedIn had 164 million email addresses and passwords exposed. Similar to Dropbox, the data breach occurred in 2012 and was only uncovered in 2016.
October 2013: 153 million Adobe accounts were breached.
August 2013: Data on all 3 billion Yahoo user accounts was stolen.
These data breaches are just the tip of the iceberg – many breaches remain undetected for years. New legal requirements relating to data breaches have just been introduced in Australia. Read on to find out how to comply with the new scheme.
Changes to Privacy Law – Notifiable Data Breaches
The Notifiable Data Breach Scheme (NDB Scheme) commenced on 22 February 2018, via amendments to the Privacy Act 1998 (Cth) (Privacy Act). The NDB Scheme is set out in Part IIIC of the Privacy Act, and makes it mandatory for certain businesses and organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of “eligible data breaches” (this is discussed further below).
The NDB Scheme introduces civil penalties of up to $2.1 million for corporations. The scheme is designed to improve transparency, strengthen the protection of personal information and facilitate better responses to data breaches.
Is my business or organisation affected?
The NDB Scheme applies to:
all businesses and organisations who are already required to comply with the Australian Privacy Principles (APPs);
all businesses and organisations who receive Tax File Numbers, including those entities not already covered by the APPs (e.g. small businesses);
credit providers and credit reporting bodies.
What is an “Eligible Data Breach”?
It is mandatory for organisations and businesses to notify the OAIC and affected individuals of an eligible data breach.
At high level, an “eligible data breach” includes instances where:
there has been unauthorised access to, or the disclosure of, “personal information” (as this term is defined by the Privacy Act), and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the access or disclosure of personal information;
personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of the personal information and a reasonable person would include that there is a likely risk of serious harm to the affected individuals.
There is no definition of what constitutes “serious harm”. However, guidelines published by the OAIC indicate that it could include physical, psychological, emotional, economic and financial harm.
Data breaches must be assessed on a case-by-case basis, with consideration of the individual affected, and the nature of the data breach – there is no uniform way in which to consider and respond to breaches.
Some examples of data breaches include:
Losing your phone or laptop
Failing to keep your passwords secure
Accidentally sending an email to the wrong address
Hackers gaining access to your system
Data breaches may be caused by one or more of the following:
Accidental loss or exposure
Reporting and Notification Requirements
Last financial year the OAIC received 149 data breach notifications. This figure is likely to increase dramatically, thanks to the new mandatory notification scheme.
As soon as practicable once becoming aware of, or reasonably suspecting, an eligible data breach, organisations must:
promptly notify the individual(s) at likely risk of serious harm; and
notify the OAIC as soon as reasonably practicable. Notifications can be lodged online.
Guidelines published by the OAIC state that the notification must include:
the identity and contact details of your organisation;
a description of the data breach (or suspected data breach);
the kinds of information concerned;
recommendations about the steps individuals should take in response to the data breach.
Be proactive. Your business should take steps to:
review existing privacy documentation, including privacy policies and internal privacy compliance and management plans;
introduce a management plan which outlines how the organisation will respond to and address data breaches – this could be incorporated into existing privacy compliance and management plans;
ensure staff are adequately trained in collecting, storing, handling and accessing personal information and responding to privacy breaches (including eligible data breaches);
assess the various types of personal information you collect and the adequacy of your data management systems;
review arrangements with third parties who hold, collect or store personal information on behalf of your organisation (e.g. outsourced companies); and
review and update other workplace policies such as IT, Computer and electronic device, and Social Media policies.
Please don’t hesitate to contact Henry William Lawyers if you require any assistance regarding your legal obligations. We can provide comprehensive, personalised advice about managing data security risks in your business.
For more information on the NDB Scheme, please visit the OAIC websit
For up-to-date information on the latest cybersecurity threats, please visit Stay Smart Online.
Thank you to Shannon Smith and Angela Cartwright for their assistance with this article.