The Privacy Amendment (Notifiable Data Breaches) Act 2017 went into effect in late February 2018. Australian entities that are subject to the Privacy Act 1988 must now report ‘eligible data breaches’ to the Office of the Australian Information Commissioner and any individuals who may be affected by a data breach.
That is a deceptively simple statement with a lot to unpack. Nonetheless, a wide array of businesses and governments must comply with these changes immediately or risk substantial civil penalties. The wrath of consumers whose data has gone astray could be even worse than the fines.
It is obviously important to have a strategy in place to detect data breaches and to contain and remediate their damaging effects. The plan must be based on an understanding of the law.
Who do the new amendments apply to?
Although the legal language is fairly opaque, the short answer to the question is “almost everyone.” More specifically, it includes government agencies and nearly every business, including non-profit organisations that collect data about:
- Credit reporting or building;
- Any information that is personally identifiable; or
- Tax information.
There are exceptions for businesses that earn $3 million or less, but there are also exceptions to the exceptions. Unless notified otherwise by your attorney, assume that these new requirements apply to your organisation.
What kind of data breach does the law apply to?
The legal language is not a model of clarity here either, but entities must act when:
- there is unauthorised access to, or unauthorised disclosure of personal information or personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Estimating the likelihood of serious harm requires an exercise of legal judgment, but businesses that have become aware of a data breach may consider:
- the kind of data compromised;
- whether it is encrypted and how strong that encryption is;
- who might have obtained the data; and
- Entities may also consider whether they have taken effective remedial action after the breach that might prevent the harm and thus excuse them from reporting the problem.
That is a dangerously tempting argument, though. There are powerful counter arguments for erring on the side of over-disclosure to protect the consumers and other people to whom the data belongs. It is, at least in part, a question of business reputation as well as law.
What actions must my business take?
If the breach triggers an obligation to act, affected businesses and government agencies must do two things:
- notify the Office of the Australian Information Commissioner about all the details; and
- tell the individuals whose information has been compromised.
Step two is the truly painful part. As quickly as possible, your organization must come clean with the details of the data breach, the information that has been compromised, and the steps that an individual should take in response to the incident. It is important to give customers a chance to take their own actions to defend themselves. In some cases, notification must be done on an individual basis. In others, general publication is sufficient.
No business wants to be in the position of having to take these steps.
How do I stay out of trouble?
Many organisations that have already taken steps to comply with the Privacy Act 1988 will be in good stead to detect data breaches when they occur. The additional steps to comply with the new disclosure requirements should be relatively simple to implement.
In general, businesses should prepare a plan to deal with data breaches that delegates specific responsibility for identifying and closing security holes, notifying government agencies and impacted individuals and training staff to prevent another breach. The plan should also include all third-party service providers that have access to your data. It should also have an aggressive timeline to ensure rapid notification.
The attorneys at Owen Hodge Lawyers would like to help you and your organisation prepare for and respond to any data breaches in accordance with the law. Please call us to schedule a consultation at 1800 770 780.