Do mandatory data breach notifications apply to you?
From a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:
- you operate a public, private or not for profit organisation with more than $3m turnover per year
- you are a health service provider (not just doctors, this can include gyms, childcare centres and schools), regardless of turnover
- you are part of a federal government agency
- you are part of a credit reporting agency
- your business buys or sells personal information
What are mandatory data breach notifications about?
Data breach falls within Australian privacy laws and is all about cyber security. The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourages transparency and accountability.
What does it mean if you have an eligible data breach?
Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or not’
So if your business is hacked and you lose commercial information, that is irrelevant to this law.
The key components of a data breach are:
- it involves personal information
- it does not have to be bulk data, personal information about one person may be enough
- the data has been accessed or disclosed
- or the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
- there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost
What does ‘Serious Harm’ mean for a data breach?
Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)
What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage. Think about what is important to your customers, or the people who’s personal information and data you collect.
What should you have in place to handle mandatory data breach notifications?
Not surprisingly, a large proportion of small businesses have ad hoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.
IT, management and communications teams will need to work together for data breach notifications. The top 10 things to consider are:
- Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
- Identify ‘who’ in the organisation is responsible for managing data.
- Identify the likelihood and consequence of an eligible data breach.
- Put in place staff training and security measures to reduce the chance of an eligible data breach.
- Understand what ‘serious harm’ could arise if there was a breach.
- Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
- Put in place a recovery plan in case of a breach.
- Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
- Check the business cyber insurance to see that it covers data breaches and the consequences.
- Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.
Remember that data breach laws are technology neutral. Just because you still operate with a largely paper based system does not mean that this law will not apply. As someone pointed out to me the other day, most filing cabinets can be unlocked with a paperclip.
Contact Onyx Online Law if you require help identifying risks to privacy within your business, or developing policies and procedures for managing personal information.