Compliance with the Notifiable Data Breaches Scheme

Data breaches are an increasingly common threat worldwide, and legislation across jurisdictions is scrambling to keep up. Following the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, the Office of the Australian Information Commissioner (OAIC) has introduced a new Notifiable Data Breaches Scheme (NDBS), which comes into effect on February 22, 2018. Detailed information about the scheme is available on the AIDC’s website.

Compliance with the Notifiable Data Breaches Scheme

By: Charlotte Pache, Senior Vice President and Managing Director, Epiq

Brookes Taney, Vice President, Data Breach Solutions, Epiq

Data breaches are an increasingly common threat worldwide, and legislation across jurisdictions is scrambling to keep up. Following the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, the Office of the Australian Information Commissioner (OAIC) has introduced a new Notifiable Data Breaches Scheme (NDBS), which comes into effect on February 22, 2018. Detailed information about the scheme is available on the AIDC’s website.

From the commencement date of the scheme, organisations will have to notify the OAIC and affected individuals when they experience a data breach. Civil penalties of up to $1.7m may apply if a breach occurs (as well as potential compensation for damages).

The scheme requires agencies, organisations and certain other entities to provide notice to affected individuals of an eligible data breach, as well as to the Australian Information Commissioner.

Data Breach Notification Requirements in Australia

The NDBS scheme creates a legal requirement for mandatory data breach notifications – which means that organisations must provide notice to affected individuals and relevant regulators when security incidents compromise information of a certain kind, such as personally identifiable information (PII) or other information that may meet a specified harm threshold.

The new legislation applies to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988 (Cth) (e.g. many Australian Government agencies and private sector organisations with an annual turnover of more than $3 million). It will also apply to certain credit providers, credit reporting bodies, and holders of tax file number information.

Examples of when a data breach notification may be required could include a malicious breach of secure storage and handling of information (for example, during a cyber security incident), an accidental data loss (most commonly of IT equipment or hard-copy documents), a negligent or improper disclosure of information, or where the incident satisfies a particular harm threshold if one exists.

What Constitutes an Eligible Data Breach in Australia?

As defined by the legislation, a data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. A data breach becomes an eligible data breach when a reasonable person could conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred). This is based on the standard recommended by the Australian Law Reform Commission.

Data Breach Notification Requirements in Australia

If an organisation suspects that a data breach has occurred, they are required to notify the Australian Information Commissioner “as soon as practicable” after they are aware that there are reasonable grounds to believe that there has been an eligible data breach. The notification must include:

  • The identity and contact details of the entity or organisation that experienced the breach,
  • A description of the data breach,
  • The types of information concerned, and
  • Recommendations about the steps that individuals should take in response to the data breach.

The same information must be provided to individuals affected by the data breach. The regulations provide the following guidance for notifying affected individuals:

The entity may use the method of communication that it normally uses to communicate with the individual. Where there is no normal mode of communication with the particular individual, the entity must take reasonable steps to communicate with them. Reasonable steps could include making contact by email, telephone or post.

The entity has discretion to notify either each affected individual or, if not all affected individuals are deemed to be ‘at risk’ from an eligible data breach, only those affected individuals who are deemed to be at risk.

There may be circumstances in which it is impracticable to provide a notification to affected individuals, either collectively or only to those at risk. The Bill provides that, in these circumstances, an entity will not be required to provide notice directly to each affected individual but will rather be required to provide the information described above on its website (if any) and to take reasonable steps to publicise the information. (For example, via media notice.)

Data Breaches: A Global Threat

Australia is the latest in a long line of jurisdictions to set down rules regulating when, how soon and in what way organisations must notify affected individuals and relevant regulators about cyber incidents and data breaches.

In the U.S., 47 of the 50 states have their own, slightly differing, requirements and definitions of data breaches and when and how individuals must be notified.

In the EU, even more stringent regulations are on the horizon. The General Data Protection Regulation (GDPR) will introduce a single set of rules across the EU on May 25, 2018. It will require that organisations inform local regulators of personal data losses within 72 hours, and that individuals at risk be informed without undue delay. The impact of GDPR is far-reaching, since it will apply not only to organisations based in the EU, but to any organisation that retains or uses the data of EU citizens.

Data Breaches: When, Not If

Data breaches are now a matter of when, not if. Millions of records of PII are lost or stolen every year, resulting in penalties for breach of regulations, increased litigation and damage to brand reputation.

Hackers of all kinds are growing more sophisticated, and attacks are becoming more targeted, making data breaches a global threat for both individuals and organisations. The regulations will only become more stringent, which will force organisations to prepare to quickly respond to incidents, provide notification in a timely fashion, and remediate security threats on an ongoing basis.

Businesses should take the following approach to manage risk:

  • Identify the risks (what information do is held that falls into this category?)
  • Protect against breach (what protection is needed to ensure no one unauthorised can access our information?)
  • Detect breaches (how will a breach be detected?)
  • Respond (how is problem fixed in order to prevent further breaches?)
  • Recover (what steps need to be taken to report the problem, implement a solution and get back to business as usual?).

Conclusion

It is important to ensure compliance with the new scheme, which may mean implementing processes to meet the various assessment / notification requirements. The NDBS presents companies with an opportunity to engage with their customers on privacy protection and to build/maintain trust in an increasingly digital world. This is an ideal time to review how your company manages its information (and manages itself) and to take stock of its information assets, data protection measures (including response activities) and to ensure it minimises the risk of a breach in the first place.

 

Charlotte Pache, Senior Vice President and Managing Director, Epiq

Brookes Taney, Vice President, Data Breach Solutions, Epiq