December 2017 saw the Australian Parliament enact the Privacy Amendment (Notifiable Data Breaches) Bill 2017. This instigates the new law which will take effect on 22 February 2018, unless it is proclaimed earlier.
Who is affected?
The new law will apply to following businesses and industry sectors:
- All businesses and non government organisations with an annual turnover greater than $3 million
- All health service providers
- A limited range of small businesses with turnover less than $3 million including:
- Businesses that sell or purchase personal information along with credit reporting bodies
- Child care centres, private schools and private tertiary educational activities
- Individuals who handle personal information for a living including those who handle credit reporting information, tax file numbers and health records,
- Private sector health service providers including alternative medicine practices, gyms and weight loss clinics
What exactly is a data breach?
There are many ways that a data breach can occur, so it’s important to understand what constitutes an eligible data breach to ensure both the protection of your clients’ information and to prevent you from receiving hefty fines.
- Lost or stolen laptops, removable storage devices, or paper records containing personal information.
- Hard disk drives and other digital storage media (integrated in other devices eg: multifunction printers) being disposed of or returned to equipment lessors without the contents first being erased.
- Databases containing personal information being hacked into or illegally accessed by individuals outside of the organisation or business.
- Employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
- Paper records stolen from insecure recycling or garbage bins.
- The organisation or business mistakenly providing personal information to the wrong person.
- An individual deceiving the organisation or business into improperly releasing personal information of another person.
Notification of any of the above data breaches is compulsory under the new law. The breaches are defined as data loss incidents where a “reasonable” person would conclude that the breach would be likely to result in serious harm to any of the affected individuals. Serious harm could include physical, psychological, emotional, financial and reputation harm.
There is no threshold for the number of affected individuals, and the serious harm test is assessed on a case by case basis. The test is satisfied if any individual whose information has been breached would suffer the harm.
Who needs to be notified?
Within 30 days of becoming aware, your organisation must carry out a reasonable and expeditious assessment as to whether there has been an eligible breach; and:
Notify the affected individuals as soon as practicable with a communication that includes
- The identity of the organisation
- The description of the breach
- The kind of information concerned and,
- Recommendations to the individual regarding the steps they should take to protect themselves as a result of the breach.
What is the cost of the penalty?
Penalties per non-disclosure range from $360,000 for individuals to $1.8 million for an organisation or business.
What must you be doing now?
Hefty fines are one thing, but customer and reputational damage can be equally if not more harmful. We recommend that you get prepared by following the below steps before the new data breach laws take effect.
- Train all employees in security and fraud awareness, practices and procedures and code of conduct.
- Appoint who is best placed to evaluate a data breach and the likely harm it would do.
- Think about your business and what would constitute serious harm in relation to your clients and those whom you conduct business with, and develop some policies and procedures.
- If you haven’t done so already, implement privacy enhancing technologies to secure personal information and include measures such as access control, copy protection, intrusion detection and robust encryption
- Review your data breach plan or develop a new one, and test its effectiveness. If you’re pro-active about information security you will be in a better position to remediate harm.
- Regularly undertake assessments of your data breach plan against relevant Australian Standards.
- Review contracts with service providers to ensure they comply with your obligations.
- Prepare a communication plan to publicise a notification and regularly test this to ensure it remains robust.
Whilst it might all seem quite a daunting exercise getting on top of the ins and outs of the data breach laws, at the end of the day they are there to protect all of us from the potentially devastating impacts of leaked private information and organised cyber crime.