(Cyber)crime and Punishment: A Snapshot of the New Mandatory Notifiable Data Breaches Scheme
From 22 February 2018, any entity subject to the Privacy Act 1988 (Cth) and Australian Privacy Principles (National Privacy Laws) must report any instance of ‘eligible data breach’ to the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by that breach.
This only applies to you if your business is an entity that is subject to the National Privacy Laws. Significantly, many small businesses and not-for-profits have ‘opted-in’ to be bound by the National Privacy Laws – these entities also have this mandatory obligation. If you are not sure whether your business has ‘opted-in’, you should contact the OAIC or your legal advisor to confirm. Click here to access an OAIC guide to help businesses determine whether they fall within the mandatory scheme.
The obligation arises if your business has reasonable grounds to believe that an eligible data breach has occurred. An eligible data breach will occur if:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that your business holds;
- this event is likely to result in serious harm to at least one individual; and
- your business has been unable to prevent that likely risk of harm from eventuating with remedial action.
This definition means that even small-scale breaches (eg an employee accidentally emailing personal information to the wrong customer) can attract the same mandatory reporting obligations as large-scale breaches (eg a national customer database hack).
This definition also means that your business will have a mandatory reporting obligation even if serious harm might not eventuate (ie as long as, on balance, the harm is more likely to eventuate than not eventuate). Further, the term ‘harm’ is broad, and could therefore extend to a number of potential negative outcomes including physical, psychological, emotional, reputational and financial harm.
Click here to access an OAIC guide to help businesses determine whether a data breach falls within this definition.
If an eligible data breach happens and the laws apply to your business, your business must notify OAIC and any person affected by the breach. Your business can notify the Commissioner of OAIC using this form. Failing to do so could result in consumer complaints, OAIC investigation and civil penalties being awarded against the business.
OACI recommends that all businesses that are subject to the mandatory scheme maintain a comprehensive and up-to-date data breach response plan to help them comply with their obligations in the event of a suspected data breach. OIAC has also released a guideline to help businesses develop a data breach response plan. Click here to access a copy of the guide.
Businesses may also wish to take this opportunity to review their existing policies, procedures, cyber security frameworks, insurances and other risk mitigation tools relating to data collection, use, storage and disclosure, to ensure that they are taking all reasonable steps to prevent an eligible data breach occurring. It would also be prudent to ensure that all staff members receive adequate training, including training about these new mandatory reporting obligations. Any data breach presents a risk to business reputation and goodwill from customers, so prevention is often the best course of action.
If a data breach has occurred, it is important that your business responds promptly, effectively and in compliance with all of its legal obligations under the National Privacy Laws. A team of professionals – including legal advisors, public relations firms and cybersecurity technology providers – can help your business investigate, respond to, and reduce all risks arising from a data breach.
To find out more about we can help your business comply with the National Privacy Laws, contact Jessica Kinny.
This blog post does not constitute legal advice and should not be relied upon as such. It is a general commentary on matters that may be of interest to you. Formal legal or other professional advice should be sought before acting or relying on any matter arising from this communication.