We’ve all heard of the 2013 data breach of 1 billion Yahoo accounts, making it the biggest on record – revealed in 2016. Do you remember the 2012 hack of 167 million LinkedIn users with details being sold on the dark web through 2016? Or just last November when Uber revealed that the personal information of 57 million of its customers was compromised – and had been hidden by the company for more than 12 months. In each instance, and in many more data breaches in the last 20 years, companies have either hidden data breaches from those affected or delayed notification.
In Australia, that is all about to change.
On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 becomes law, and includes a number of changes to the Privacy Act 1988.
The main change is the legislation of a Notifiable Data Breach scheme.
Which businesses are affected by this change?
These changes are relevant to all businesses that are governed by the Privacy Act. These include organisations with a turnover more than $3 million a year. In addition, those businesses with a turnover of $3 million or less who are health service providers, businesses that sell or purchase personal information and credit reporting bodies are affected too.
Notifiable Data breaches
The legislation gives particular focus to ‘eligible data breaches’, which is defined as ‘unauthorised access to or unauthorised disclosure of your personal information, credit reporting information, credit eligibility information or tax file number information’ that a reasonable person would deem is likely to have ‘serious physical, psychological, economic or emotional harm to yourself, or serious harm to your reputation’.
Here’s an example:
An employee loses a USB drive containing confidential information and members of the public gain unauthorised access to sensitive information, or an email containing sensitive information is sent to the wrong recipient.
The key message here is that not all breaches will be intentional.
What does it mean for your business?
The new mandatory reporting applies regardless of whether the breach was intentional or inadvertent.
In the instance that an eligible data breach is deemed to have occurred, you are required to perform a mandatory assessment within 30 days. If the breach is considered likely to cause harm following this assessment, you are then required to provide a statement to the person/s affected, including an outline of the breach and a recommended course of action – how that person should respond to the breach. A statement must also be provided to the Office of the Australian Information Commissioner (OAIC). There is a prescribed form provided by the OIAC.
Notification to both the affected party and the OIAC must occur as soon as practicable after your organisation becomes aware of the data breach.
The consequences of non-compliance
Corporations risk court proceedings, payment of compensation and civil penalties up to $2.1 million.
Do you have a plan?
How can Snedden Hall & Gallop Lawyers help you?
The Snedden Hall & Gallop business team thanks Senior Law Clerk, Gene Schirripa for his work on this blog.