Australia’s mandatory data breach notification obligations came into force on 23 February 2018. Your organisation may no longer have the option to conceal serious cybersecurity breaches. Timothy Webb and Sumer Dayal from Clayton Utz explain what you need to know. 

As 2017 in particular demonstrated, even high-profile companies like Equifax, Uber and Verizon are vulnerable to serious incidents that can compromise personal information on a large scale.

Understanding the new Notifiable Data Breaches (NDB) Scheme and creating a response framework should therefore be a key consideration for 2018 to avoid serious reputational risks and civil penalties.

Origins of the NDB Scheme

The scheme came into force through amendments to the Privacy Act 1988 (Cth) (Privacy Act) by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Amendments).

Who does it apply to?

The NDB Scheme applies to agencies and organisations that are required to take steps to secure certain categories of personal information under the Privacy Act.  This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, and health service providers.

When do the notification obligations arise?

Where there are reasonable grounds to believe that an “eligible data breach” has occurred — exceptions to this are discussed below — or an organisation is directed to do so by the Office of the Australian Information Commissioner (OAIC).

An eligible data breach is one where a reasonable person would conclude that there is a likely risk of serious harm to the individuals to whom the information relates as a result of the unauthorised access or disclosure.  This covers both intentional and unintentional acts, from a malicious hacker penetrating the organisation’s network to an employee inadvertently leaving an unsecured laptop on public transport.

However, an eligible data breach does not include circumstances where:

  • the organisation has taken remedial action before any serious harm occurred.  The action must be such that a reasonable person would conclude that the access or disclosure of information would not likely result in serious harm to affected individuals; and
  • an organisation only has reasonable grounds to suspect that an eligible data breach has occurred.  Organisations will be required to complete a “reasonable and expeditious assessment into the relevant circumstances within 30 days, ensuring that wilful ignorance will not avoid the requirements of the Privacy Act.

Organisations must promptly notify the OAIC and any potentially affected individuals of the eligible data breach.  This involves:

  • preparing and providing a statement to the OAIC containing information prescribed by the Amendments about the data breach (including recommendations that individuals should take in response); and
  • taking steps to notify affected individuals of the contents of the statement. This may involve sending the statement to the individual via normal means of communication or, if this is not practicable, publishing the statement on the organisation’s website.

When is there “serious harm”?

Serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. Serious harm will be “likely” if such harm is “more probable than not” having regard to relevant matters including:

  • the kind of information;
  • the sensitivity of the information;
  • whether the information is protected by security measures (such as encryption) and how easily those security measures could be overcome; and
  • the nature of the harm.

Exceptions

Organisations may be exempt from the notification obligations in the following circumstances:

  • the requirements to issue statements or contact individuals regarding eligible data breaches will not attach to eligible data breaches of other entities;
  • if the CEO of an enforcement body believes that compliance would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body;
  • where notification would be inconsistent with secrecy laws that prohibit or regulate the use or disclosure of information (to the extent of that inconsistency); and
  • where the Commissioner makes a declaration that some or all of the obligations do not apply.

What should you do next?

To ensure compliance, organisations should:

  • review  the OAIC’s comprehensive guide  to complying with the NDB scheme now available on its website;
  • audit their current information security processes and procedures to ensure they are adequate; and
  • prepare a data breach response plan (or update the current plan) to enable organisations to respond quickly, efficiently and lawfully to an actual or suspected data breach.

Compliance with these new laws will be much easier for organisations that are prepared for data breaches and have the ability to detect and take action before any serious harm occurs.

Organisations would be wise to have in place detailed policies and procedures which outline the steps to be taken in response to a serious data breach, regardless of whether that breach has occurred inadvertently by the organisation or following a coordinated attack by hackers.

After all, prevention is better than a cure.