Data Breach Notification Laws

New data breach notification laws came into effect in Australia on 22 February 2018

Australia’s new Data Breach Notification laws came into effect on 22 February 2018. This new law will require businesses that comply with the Privacy Act 1988 (Cth) to notify the Australian Information Commissioner if they experience an eligible data breach.

The following snapshot about this new law is taken from Webber Insurance Services’ website.

We live in a time where businesses are increasingly suffering data breaches, whether it is from ransomware or other viruses. This means that protecting your business from a potential loss of data can now be seen as important as protecting your business from a physical loss such as fire and theft.

So who does this law change apply to, what is an eligible data breach, what happens when a data breach occurs and how can you protect your clients and your own business from an incident occurring?

Who does the Data Breach Notification laws apply to?

The new Data Breach Notification laws apply to small businesses and not-for-profit organisations that have had a turnover of over $3,000,000 in any financial year since 2002. If a business has not traded for a full 12 months, consideration must be given to what an estimated annual turnover will be.

Government agencies will also be required to comply with the new laws.

Generally speaking, most small businesses will not have to comply; however there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Data Breach Notification laws if it is:

  • A health service provider;
  • Trading in personal information (e.g. buying or selling a mailing list);
  • A contractor that provides services under a Commonwealth contract;
  • A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act);
  • An operator of a residential tenancy database;
  • A credit reporting body;
  • Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009;
  • Businesses that conduct protection action ballots;
  • Businesses that are related to a business that is covered by the Privacy Act;
  • Businesses prescribed by the Privacy Regulation 2013; or
  • Businesses that have opted in to be covered by the Privacy Act.

The Australian Government has created a checklist to help organisations determine if they fall into any of the above categories. The checklist can be found at their website by CLICKING HERE

What is an Eligible Data Breach?

An eligible data breach occurs when there is:

  • Unauthorised access to personal information
  • Unauthorised disclosure of personal information
  • Loss of personal information

This personal information is held by a business and a reasonable person would conclude the loss, disclosure or access of this information is likely to cause serious harm to any of the individuals to whom the information relates.

Examples of an eligible data breach include:

  • A database containing personal information is accessed by hackers;
  • A laptop or phone that contains customers’ personal information is lost or stolen;
  • An employee browses sensitive customer information without any legitimate purpose;
  • A contractor working on a database containing customer information takes their own copy on a USB.

If a business has reasonable grounds to suspect a data breach has occurred, it must carry out a reasonable assessment within 30 days of the breach occurring. This will allow the business to identify that an eligible data breach has occurred and the correct notification process can then be followed.

However, if remedial action is undertaken and serious harm is not likely to occur, this would not be deemed an eligible data breach.

When a Data Breach occurs, what are the notification obligations?

When a business has reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • The identity and contact details of the organisation;
  • A description of the data breach;
  • The kinds of information concerned; and
  • Recommendations about the steps individuals should take in response to the data breach.

A template for notification has been developed by the Australian Government and is available by CLICKING HERE

What happens if I do not report an Eligible Data Breach?

The Data Breach Notification laws states that a civil penalty can be applied to a business. Individuals face a maximum fine of $360,000 and businesses $1,800,000 for serious or repeated interference of an individual’s privacy.

What can a business do to prepare for Data Breach Notification Laws?

Businesses need to ensure they have planned adequately for the new Data Breach Notification laws, and should consider the following:

  • Assess and update your Privacy Policy;
  • Review your existing processes around data security;
  • Review relevant contracts with key suppliers to determine how information is to be handled;
  • Educate relevant staff on the Data Breach Notification laws;
  • Create a Data Breach management strategy;
  • Consider Cyber Insurance to protect the business against financial loss.

Cyber Insurance

The new Data Breach Notification laws have increased the requirement for businesses to have a Cyber Insurance policy in place. Whilst Cyber Insurance is not the magical pill that solves all of a businesses’ requirements, it plays a valuable part. Cyber Insurance is a great way for a business to fund the cost of implementing your Data Breach Response Plan. To find out more about what Cyber Insurance can cover, please visit Webber Insurance Services’ website by CLICKING HERE.

To read Webber Insurance Services’ full summary about the Data Breach Notification laws, go to the blog section at their website by CLICKING HERE.