Mandatory data breach notification (MDBN) becomes law in Australia on 22 February 2018. This is a high-impact development requiring businesses to respond as expenditure on advertising and years of building customer trust through high-quality service and reputable conduct is put at risk by the obligation to inform customers when security measures fail.
Does the law apply to you?
Subject to some exceptions the mandatory notification provisions will apply to private sector entities subject to the Australian Privacy Act including entities with an annual turnover of more than $3 million, businesses that provide a health service, businesses that disclose personal information for advantage as well as Federal Government Agencies and business that contract with federal government agencies.
What do you need to do in the event of a suspected data breach?
1. Investigate and assess
An organisation that suspects it may have suffered unauthorised access, disclosure or loss of personal information (data breach) capable of causing serious harm to any relevant data subjects (eligible data breach) will have 30 days to investigate and conclude whether in fact an eligible data breach occurred.
The new law does not define the meaning of "serious harm". Guidance suggests that physical, financial, economic harm and harm to reputation could be serious harm. It is also suggested that where the information involved is sensitive information, it is more likely that resulting emotional or psychological harm will be serious harm.
The new law provides that, in assessing the likelihood of serious harm, consideration should be given to the kind(s) of information that is the subject of the breach, the nature of the harm that might be caused and the person or persons who have obtained or are likely to obtain the information. Whether or not the information is protected by security measures and the likely effectiveness of any security measures is also relevant.
The new law requires the preparation of a notification statement as soon as practicable on becoming aware of an eligible data breach. When the statement is complete it must be delivered to the Privacy Commissioner and the contents notified to the individuals to whom the relevant information relates or who are at risk from the breach. If individual notification is not practicable, the statement must be posted on the organisation's website and its content must be publicised.
The new law does not require notification where remedial action, such as wiping devices or changing passwords before any unauthorised access, is successful but does not suspend the duty to notify to allow for remedial action.
Some practical steps that you can take to prepare for this new legislation:
- Modify your data breach response plan (if any) to take account of these new obligations. If you don't have such a plan, now is the time to put one in place.
- Your security questionnaire and relevant contractual provisions for third-party service providers should be updated to (a) take into account the need for full disclosure and cooperation from the provider should a breach occur and, (b) manage the competing interests between you and the provider should there be a disagreement on matter such as whether or not the breach results in serious harm, who needs to be notified and what information to disclose in notifications.
- Although data breach is often discussed as a cyber security issue the latest malware attacks have been delivered by targeted phishing highlighting the need for better user awareness. Consideration should be given to training staff members on MDBN and updating security training including appointing privacy champions to each business unit to train on the importance of respecting privacy and maintaining security.
- Review and update your organisation-wide security framework. Ensuring relevant information and security incidents are reported and investigated and any necessary remediation and/or preventative steps are taken. Ensuring privacy impact assessments are undertaken and data security is given priority in new project plans.
Globally, MDBN is nothing new: the US and Germany have had MDBN requirements for many years and the GDPR will introduce MDBN across Europe as of May 2018 and many other countries are in the process of following suit. This is a global issue for organisations to be across and understand their obligations in all countries in which they operate.
This Flowchart outlines the steps that need to be taken in the instance of a potential data breach.