Tony Conaghan

Notifiable Data Breaches Scheme Starts 22/2/2018 – Are You Ready?

Tony Conaghan

11 February 2018

Confidentiality and Privacy

Recovering from a major data breach can be difficult, stressful and time consuming for any organisation. It is essential to be well prepared. Organisations need to ensure they have all of the right processes and procedures in place so they can act quickly to minimise the harm, as well as comply with their new legal obligations under the Privacy Act’s mandatory Notifiable Data Breaches scheme (NDB).

From 22 February 2018, if a data breach occurs in your organisation or agency that is likely to result in serious harm to any individual, then you will promptly need to inform the Office of the Australian Information Commissioner (OAIC), as well as the individuals potentially affected.

Despite imminent commencement of the scheme, a recent study by cyber security provider CyberArk has however found that 44% of Australian businesses are not yet fully prepared to meet their obligations under this new scheme.

Following our initial review of the scheme, this article considers:

  • What is it that you still need to do to avoid substantial penalties for non-compliance?
  • How do you assess the risk of “serious harm”?

Mandatory data breach notification scheme

The NDB scheme introduces an obligation for certain organisations and agencies to notify the OAIC and individuals whose personal information is involved in an eligible data breach that is likely to result in serious harm, where the entity has not been able to prevent the likely risk of serious harm with remedial action.

Key points to note are:

  • Application: The scheme applies to all organisations and agencies with existing personal information security obligations under the Act (APP entities) including most Australian government agencies, businesses with an annual turnover of at least $3 million, and some smaller organisations (such as those that handle health data). The scheme does not generally include small business operators. However, there are some exceptions.
  • When to notify: At the point when the entity has reasonable grounds to believe that an eligible data breach has occurred, notification should occur as soon as practicable. If an entity has reasonable grounds only to suspect that an eligible data breach has occurred, the notification obligation does not arise. The scheme nevertheless requires the entity to complete a “reasonable and expeditious” assessment of the circumstances of the suspected breach within 30 days.
  • Eligible data breach: arises when there is unauthorised access to our unauthorised disclosure of personal information (e.g. recent breaches suffered by Yahoo, Equifax and eBay, et al); or a loss of personal information that an entity holds; or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. A noteworthy example of the latter would be selling the office filing cabinets before first removing the sensitive information from its drawers.
  • Serious harm: is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
  • Risk assessment: Whether a data breach is likely to result in serious harm to an individual requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position. Matters to be taken into consideration include:
    • the kind of information;
    • the individuals involved;
    • the sensitivity of the information;
    • security measures (if any) taken to protect the information (eg. encryption, anonymization);
    • how easily those security measures could be overcome;
    • the kind of person who obtained the information;
    • the potential uses of the information (eg. malicious purposes); and
    • the nature of the harm (eg. identity theft, loss of business).
  • Remedial action: While there are a number of exceptions from the requirement for notification, the key exception is where the entity takes remedial action before any serious harm is caused by the breach. For example: If an entity takes remedial action such that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach. For breaches where information is lost, the remedial action is adequate if it prevents unauthorised access to, or disclosure of personal information. It remains to be seen how this exception will fare in practice, although the OAIC has provided some scenarios as examples.

The notification process

When an entity has reasonable grounds to believe there has been an eligible data breach, the entity must, as soon as practicable, prepare a statement for the Commissioner, make a decision about which individuals to notify, and notify those individuals of the contents of this statement. The notification must include certain prescribed information including recommendations about the steps individuals should take in response to the breach.

There is some flexibility provided for in the notification of individuals depending on what is practicable in the circumstances but the means of notification must always be reasonable. For example, using the entity’s usual method of communication with the individuals may be a possibility.

Penalties

Failure to comply with an entity’s obligations under the scheme may result in consequences ranging from a public investigation to civil penalties of up to AUD$2.1 million. Of course there would also be the negative impact of a loss of trust in how the entity handles its customers’ data, and the potential flow-on market effect of that loss.

What you should do now – it’s not too late!

The prevalence of major data breaches in recent years demonstrates the need for organisations to be prepared to respond quickly and effectively, whether they suffer an accidental breach or a major cyber-attack by hackers. The NDB scheme adds an extra layer of legal obligation and compliance which is imminent.

Organisations and agencies should, if they have not already done so:

  • establish whether your organisation is covered by the scheme;
  • identify at-risk data;
  • audit current security processes and procedures which protect the data. In particular, assess the ability of the organisation to detect a data breach as soon as possible and respond quickly;
  • upgrade those processes and procedures where necessary – blocking unauthorised access to personal data helps to prevent reportable data breaches in the first place, as well as detecting breaches when they occur;
  • develop and document a comprehensive and compliant data breach response plan; and
  • train staff in the implementation of the plan.

The OAIC has issued updated resources to assist entities in understanding the new scheme, assessing their preparedness to act and developing their responses.

For more information contact:

Tony Conaghan | Partner | tconaghan@tglaw.com.au