From 22 February 2018, it will be mandatory for businesses to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals in certain circumstances if the business suffers a data breach. In this Focus Paper, we consider these requirements and summarise what your business will need to do to comply.
The rationale underpinning the mandatory data breach notification requirements is to enhance the protection of personal information held by businesses and to enable individuals to mitigate any harm caused by a data breach.
Data breaches (including data which is lost or stolen) are a fact of modern life. It has been estimated that more than 9 billion data records have been lost or stolen worldwide since 2013.1 Direct selling businesses retain large amounts of personal information relating to their customers and distributors and should recognise that data breaches will occur. Therefore, businesses are encouraged to develop a robust cyber security framework, a data breach policy and a data breach response plan to ensure compliance with the law.
Under Australia’s federal privacy regime, the penalties that can be imposed on businesses for breaches of privacy can be as high as $1.8 million, and the damage caused by data breaches to a business’s reputation and brand can be irreparable.
To comply with the requirements of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Privacy Amendment Act) 2 , relevant businesses must give formal notice if:
- there are reasonable grounds to believe an “eligible data breach” has occurred; or
- the Australian Information Commissioner (the Commissioner) believes on reasonable grounds that an “eligible data breach” has occurred and directs that business to give notice.
Businesses with an annual turnover of less than $3 million are not required to comply with the Privacy Act, unless an exception applies to the business, such as where it collects health information, which is “sensitive information”. Accordingly, while a direct selling business’ distributors will not ordinarily be required to comply with the Privacy Act, if they collect health information from customers and distributors in their downlines, they must comply. Health information can include, for example, a person’s opinion about their level of fitness.
What is an “eligible data breach”?
There will be an eligible data breach where:
- there is unauthorised access to, or unauthorised disclosure of, personal information; or
- information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, personal information is likely to occur; and
- a reasonable person would determine that access or disclosure would likely result in “serious harm” to any individuals to whom the information relates.
What is “serious harm”?
Serious harm is assessed from the standard of the reasonable person. It could include harm which is physical, psychological, emotional, economic, financial or reputational. However, individual upset or distress on its own is unlikely to constitute serious harm.
In assessing whether a reasonable person would conclude that disclosure or access would be likely to result in serious harm, relevant considerations include:
- the kind of information and its sensitivity, for example, health information or credit card details;
- whether the information is protected by one or more security measures;
- the likelihood that any of those security measures could be overcome;
- whether a security technology was used to make the information unintelligible or meaningless to unauthorised persons; and
- the likelihood that a person has obtained or could obtain information or knowledge to circumvent the security technology.
Which form of notice is required?
If a business has reasonable grounds to believe an eligible data breach has occurred, or the business is directed to provide a notification by the Commissioner, the business must prepare a statement.
The statement must include:
- the identity and contact details of the business;
- a description of the data breach;
- the kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the data breach.
A copy of the statement must be given to the Commissioner. The business should then notify each individual:
- to whom the relevant information relates; or
- who is at risk from the eligible data breach,
of the contents of the statement as soon as practicable after the business is aware that there are reasonable grounds that an eligible data breach has occurred.
Direct selling businesses may use their usual method of communication when notifying an individual, for example, SMS, a phone call, email or a social media post. If it is not practicable to notify each individual, the business must publish a copy of the statement on its website and take reasonable steps to publicise the statement’s contents.
Are there any exceptions?
Unless an exception applies, notification of an eligible data breach is mandatory. The Privacy Amendment Act introduces a number of exceptions, including:
- Remedial action: if the business takes remedial action in response to an eligible data breach and a reasonable person would conclude that, as a result of the action, the breach would not be likely to result in serious harm to any individuals.
- Inconsistency with secrecy provisions: if notification would be inconsistent with Commonwealth secrecy provisions.
- Commissioner’s declaration: if the Commissioner declares that the business is exempt from complying with notification requirements for a certain period of time. The Commissioner may make the declaration on the Commissioner’s own volition or upon application by the business.
What are the consequences for contravening the Privacy Act?
Failure to comply with the Privacy Act may be considered as interferences with the privacy of the individual. For a corporation, the maximum civil penalty that can be imposed for a serious breach, or for multiple breaches, of the Privacy Act is $1.8 million. In addition, a corporation may be ordered to compensate an individual for loss or damage caused.
Data breaches by a direct selling organisation can also cause significant damage to the organisation’s reputation and erode the trust that both customers and other participants in the direct selling industry may have in a direct selling business, as well as cause significant business interruption and loss. As we have previously reported, company directors are responsible for cyber security issues and, in the event of a data breach, could be found to be personally liable.3
Is your direct selling business prepared to handle a data breach?
Does your business (and/or your independent distributors) collect sensitive information, such as health information? Do your independent distributor agreements and/or Policies and Procedures contain privacy obligations? Are your independent distributors required to notify you of any suspected data breaches? These are all matters which you should consider when determining whether your business and your independent distributors are taking reasonable steps to ensure privacy compliance.
As discussed above, the security measures and technology used by a business are important factors in determining whether a data breach has caused or is likely to cause serious harm in the eyes of a reasonable person. This demonstrates the need for direct selling businesses to be better protected and insulated from cyber risks.
In partnership with leading technology and risk management experts, Addisons has developed a simple Cyber Health Check to enable you to assess your resilience level. Please do not hesitate to contact us to explore strategies to enable your business to develop a robust cyber security framework. Not only will this protect your commercial interests, but it will also ensure that you are prepared to comply with the Privacy Act by 2018.
We encourage you to create a data breach policy and a response plan. The OAIC’s guide to developing a data breach response plan was published in April 2016.4 The guide is being updated to reflect the changes introduced by the amendments to the Privacy Act. Addisons can assist your business to develop a data breach policy and response plan which will align you with best practice.
22 February 2018 is fast approaching; make sure your business is prepared!