With the passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, both private and public Australian organisations will now be obliged to notify the Office of the Australian Information Commissioner (OAIC) in the event of a data breach. The requirement to report will commence on 13 February 2018, 12 months after being approved by both Houses of Parliament.
Previously, Australian companies were free to withhold that information, safeguarding them, albeit temporarily, from potential reputational damage as they scramble to understand the extent of the cyber breach.
Whether it’s a data leak, malicious or accidental, the change in legislation will now require companies to report those breaches within 24 hours to the OAIC and the affected individuals who may have been subject to the breach.
The aim of these laws is to incentivise the holders of data to adequately secure that information. We’ve assessed the recent changes and summarised the key points for you below:
Who exactly will be affected?
The change in legislation will apply to any organisation that stores personal information of employees, clients or customers, credit reports and financial information, and any other information required to be kept secure under the Privacy Act 1988 (Cth). It also affects not-for-profict organisation with an annual turnover more than $3 million.
If you have employee, client or customer information stored locally in your organisation, it is likely you will be captured as an entity required to report.
What exactly constitutes a data breach?
The obligation to report is for an entity that becomes aware on reasonable grounds that there has been an eligible data breach.
An eligible data breach, as described by the Bill, is whether either:
- there is unauthorised access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates
- the relevant information is lost in circumstances where unauthorised access to or unauthorised disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.
Serious harm can be interpreted in a few ways, but many will agree, that the release of personal information to an unauthorised source, including name, email, address, or contact details, constitutes serious harm. Whereas, unauthorised access to information that is publicly available would likely not fall under that banner. We suggest it best to take a stricter approach to the meaning when in doubt.
What exactly will I have to do?
In addition to taking steps to contain the breach, your organisation must as soon as practicable after becoming aware of a data breach, prepare a statement that includes a general description of the type of information that was exposed, what individuals can do to mitigate the harm caused by the breach (ie. change passwords), and who they can call to get further information or assistance.
You are also required to provide a copy of the statement to each individual whom the compromised information affected or is at risk of being affected. If providing such a statement to the individuals is not practical, you will be required to publish a copy of the statement on your website and take reasonable steps to publicise the content of the statement.
You should also engage a third party advisor to conduct a preliminary assessment of the breach and evaluate the risk associated with the incident and advise on measures to prevent future occurrences.
What if we only suspect a breach may have occurred?
The Bill also speaks about the potential for breach, and requires your organisation, should it not be sure whether an actual eligible data breach had occurred, to immediately carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe a data breach occurred. Such assessment is required to be finalised within 30 days of becoming aware of grounds for suspicion.
This is generally best done by a third party advisor who can work with your internal team to review the logs and determine the extent of the suspicion.
Where to from here?
Your best course of action would be to consider begin focusing on an updated and compressive risk assessment of your cyber defences, work on policy development and increase staff training. It is also crucial to developing a monitoring compliance program that will ensure logs and other important information is regularly reviewed.
It is important to take each situation seriously and move quickly to contain and assess the suspected breach.
Breaches that may initially seem immaterial may have a significant impact to your organisation when their full implications are realised.
Your company should make a decision about how to respond to various case scenarios. Successful planning will likely mitigate the disastrous affects as seen in some well published large scale data breaches.