The new Mandatory Data Breach Notification regime started on 22 February 2018. The Privacy Act has been amended by the insertion of a new Part IIIC. You can download an updated version of the Privacy Act 1988 including the amendments here.
The new scheme reflects the trend of regulators to require businesses to tell them if they breach a law. The penalty for not reporting a breach could be more than the cost of the breach itself (which could be a separate Privacy Act offence). Background.
The Office of the Australian Information Commissioner (OAIC) has released a guide titled Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth). Watch our video.
While data breach headlines usually trigger thoughts of hackers and ransomware viruses or even malicious ex-employees, the recent Cabinet Files incident (where classified Cabinet papers were left in a filing cabinet sold at a second-hand store) is a reminder that physical security of personal information is as important as electronic security. Losing USB flash drives and paper files can have the same consequences as cybercrime.
From 22 February 2018 data breaches of personal information will need to be reviewed to determine whether you are obliged to report the breach to affected customers and the Privacy Commissioner as well as publicise it on your website.
The confidentiality of data that you hold (both your own and for your customers) is an essential element of your reputation: your customers trust you to keep their information secure.
But first you have to know what data you hold and where it is stored. And how will you know if it has been stolen if you do not receive a ransom request or see it published in the media?
If you outsource services how do you know your service provider’s systems are secure? Or that they will tell you if they have had a breach? You need to review your contracts to insert appropriate provisions.
Data security is now an important part of your risk management. If you are regulated by APRA, revisit CPG 234.
Once you suspect a breach you must conduct an assessment within 30 days and work out whether you can fix it.
If a data breach is likely to result in serious harm to any of the individuals to whom the information relates you need to tell the Privacy Commissioner:
- the kind of information involved;
- how did it occur;
- when did it occur;
- when was it discovered;
- how many are affected;
- recommendations about the steps that individuals should take in response to the serious data breach;
- a description of any action you have taken, or you are intending to take, to prevent reoccurrence.
Whether the cause of a breach is human (eg a staff error), a system fault or a criminal the experts say that a breach is inevitable.
Failure to report a breach could result in a penalty for companies of up to $2.1million.
Customers expect full disclosure, a meaningful apology and adequate customer support.
For financial services and credit licensees a privacy breach that relates to their customers could also constitute a licence breach.
If you haven’t already done so, its time to review your privacy policy and your data breach response plan.