We’ve all heard about the increasing prevalence of data ‘breaches’ and ‘hackings’.
Some well-publicised examples include:
The hacking of Microsoft’s Business Productivity Online Suite in 2010;
- The theft and publication of 6 million user passwords from LinkedIn in 2012. This was followed up in May 2016, when hackers stole and posted for sale on the dark web an estimated 167 million LinkedIn email addresses and passwords; and
- The breach of 68 million user accounts at Dropbox in 2012, where the offender gained access to email addresses, passwords, and nearly 5 gigabytes of data.
One of the things that really upset users is that many of these major breaches were kept under wraps by the affected companies for many years which prevented the users from being able to act to protect their data, or seek compensation from the companies.
Rather than sit on its hands, our government has decided to try and do something about it. The relevance and practicality of this response is open to debate. But if your business turns over $3 million or more, or if you have less than $3 million turnover but fall under the other applicability rules, then you need to understand these measures which come into effect from February 2018.
What are these measures and how do they impact you? In this article, we provide a crash course on these changes, and some tips on how to make sure your business complies.
What are the key changes to the Privacy Act?
Starting from 22 February 2018, all ‘APP entities’ will be required to notify the Office of the Australian Information Commissioner (OAIC) if a ‘Notifiable Data Breach’ occurs. The OAIC refers to this as the “Notifiable Data Breach (NDB) scheme”.
Who must comply with the NDB scheme?
The NDB scheme will apply to all ‘APP entities’. APP entities are entities that are required to comply with the Australian Privacy Principles under the Privacy Act.
‘APP entities’ includes all businesses with an annual turnover of more than $3 million.
‘APP entities’ also includes small businesses (i.e. businesses with turnovers of less than $3 million) if they are:
- Private sector health service providers (including medical practitioners, pharmacists, gyms and weight loss clinics);
- Complementary therapists, such as chiropractors or psychologists;
- Childcare centres, private schools and private tertiary educational institutions;
- Businesses that sell or purchase personal information;
- Credit reporting bodies; or
- Related to a business that is an APP entity.
What new obligations are imposed by the NDB scheme?
The NDB scheme requires APP entities to notify the OAIC and any affected people as soon as practicable if they have a reasonable concern that a ‘Notifiable Data Breach’ has occurred.
A ‘data breach’ is defined generally as a situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference’.
A ‘Notifiable Data Breach’ arises if:
- There has been an unauthorised access or disclosure of information and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your database has been hacked); or
- If information is lost where an unauthorised access is likely, and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your employee forgot a folder with clients’ personal information in a public place).
The concept of ‘serious harm’
The effect of the new rules is to require business owners to consider the possible consequences of any data breach to determine whether it may cause ‘serious harm’ to an individual or individuals. This is a broad concept and may include physical, emotional, economic or financial harm or reputational damage.
To determine whether a data breach is likely to cause ‘serious harm’ (and is therefore a Notifiable Data Breach), you should consider factors such as:
- The type of information breached;
- Whether the information is protected by other security measures, and the probability that someone can overcome those measures;
- The people who may have access to the information as a result of the breach; and
- The nature of the harm that might arise from the breach.
What must you do if you identify or suspect a data breach?
If an APP entity suspects that a data breach has occurred, it must carry out an assessment within 30 days to verify whether the breach occurred and ascertain whether it is a Notifiable Data Breach.
How do you give notice of a Notifiable Data Breach?
The OAIC intends to publish an online form via which businesses can provide notification.
The breach must also be notified to the affected individuals using any reasonable direct method of communication (e.g. phone call, email, SMS or letter in the mail).
What information must a notification include?
A notification of a Notifiable Data Breach must include the following information:
- The identity and contact details of the APP entity;
- A description of the breach;
- The types of information exposed by the breach; and
- Recommendations about the steps that people should take in response to the breach.
Are there any exceptions to the NDB scheme?
Businesses are not required to notify of a data breach if they act quickly in relation to the breach such that it can reasonably be said that the breach would not cause any serious harm.
Further, businesses who have good policies and protocols in place should be able to avoid the rigmarole associated with notification under the scheme. Good protocols include things like data encryption, 24-hour IT monitoring and employee policies for secure handling of sensitive information.
Ultimately, the onus is on the business to determine the likelihood of serious harm and make a call on whether the breach should be notified. It is our view that business owners are better off erring on the side of caution when deciding whether to notify.
How will the NDB scheme be monitored?
Most of the policing of notifications will be done by people who have been impacted by a breach.
For example, if an organisation failed to notify a breach and an affected person thinks they should have done so, they can complain to the OAIC. If the OAIC agrees that an organisation failed to give notice of a Notifiable Data Breach, the organisation may face penalties under the Privacy Act civil penalty framework (which includes fines of up to $1.8 million for organisations).
Traps for employers in relation to data breaches
Human error (or misuse) is generally held as the biggest cause of data breaches. Typical ‘human error’ issues include opening an email with a virus attachment, misplacing or exposing sensitive documents, and sending emails to the wrong person. ‘Misuse’ includes disclosing passwords to unauthorised people or a former employee taking a client’s sensitive information with them when they leave (often to give to their next employer).
For this reason, employers need to get on the front foot by implementing practical and comprehensive policies and procedures.
A policy for employees regarding data breaches should cover things like:
- Password protection and updates
- Email communication
- Data back-ups
- File downloads
- Computer and mobile security (including password/pin protection)
- Business credit card use
- Reporting expectations regarding data breaches
The policy should also make it clear that an employee will be disciplined (and possibly terminated) if they fail to adhere to the policy.
Recommendations for how to prepare for the NDB scheme
Business owners take the following steps to prepare for the changes:
- Ascertain whether you are subject to the Privacy Act. Even if you are a small business or a sole trader, you could be subject to the new rules.
- Be aware of the types of information you store and their sensitivity. Different types of information may require different types of security measures.
- Prepare and implement a data handling policy. The sooner the better, to ensure that your staff get to know the policy before the scheme commences.
- Review your IT systems and firewalls. If you store a lot of sensitive data or are in an industry that is targeted by online attacks, consider investing in encryption software.
- Consider whether you should take out insurance to cover any loss you may suffer. Ideally, any policy should cover as many types of loss as possible (e.g. internal costs of compliance, rectification costs, third party claims for damages).
- Review your contracts with suppliers and other third parties. Ensure that they do not pass on responsibility to you, and that they do not limit their liability if a breach is caused or contributed to by them.
- Prepare and implement a data breach response plan. This will enable you to mobilise quickly if any data breach occurs.
- Appoint a person in your business to be responsible for notifications. This will ensure that notifications are completed quickly and in accordance with the requirements.
- Establish and maintain a data breach log. The log will be a central directory to record the details of any data breach, how the breach was categorised (i.e. whether or not it was notifiable), and how the breach was dealt with.
- Schedule periodic assessments of your procedures and policies. This will ensure that you can make any necessary modifications to your compliance once the scheme has been rolled out, and ensures your security measures will be kept up-to-date.
Questions or further information
If you need help with your IT or security systems please contact our IT department on (03) 5444 8799 or email firstname.lastname@example.org