What is a data breach? A data breach is any unauthorised
access to or disclosure of any information held by your business that risks
harm to the person to whom the information relates. The information could be about
your clients, employees, suppliers and anyone else your business deals with. A data
breach might happen from outside, through spyware, viruses, malware, spam
emails, ransomware or internally through use of weak or default passwords.
How are breaches reported? If a breach occurs or you suspect
has occurred you have 30 days report to the Privacy Commissioner with a
statement describing the breach and recommended steps to help protect affected
Consequences? Repeated or serious failure to report risk
penalties of up to AUD 360,000 for individuals and AUD 1.8m for corporations.
What can you do? Get prepared. Start by restricting
administrator privileges and ensure regular change of passwords. Talk to your IT
and cyber security specialists. Call us to better understand your cyber-security
and privacy obligations.
FOUR MONTHS TO GET PREPARED
1. What is it?
Changes to reporting on cyber breaches will take effect as
of 22 February 2018 with the proclamation of the Privacy Amendment (Notifiable
Data Breaches) Act 2017 (Cth). This Act introduces a mandatory Notifiable Data
Breaches Scheme (NBD Scheme) into Australia, requiring all organisations and
government agencies subject to the Privacy Act 1988 (Cth) to report all
eligible data breaches to the Privacy Commissioner and affected customers as
soon as practicable after the data breach.
2. Who does this effect?
The NBD Scheme will impact all "organisations" subject to
the Australian Privacy Principles in the Privacy Act 1988 (Cth) (APP Entities) including
individuals, sole traders, body corporates, partnerships, unincorporated associations
and trusts that have an annual turnover of more than 3 million dollars. It will
not impact registered political parties or agencies, state authorities,
territory authorities or prescribed instrumentalities of a state or territory. The
NBD Scheme will also bind all credit reporting bodies, credit providers and tax
file number recipients.
This scheme will also cover any APP entity that discloses
personal information to overseas recipients if the overseas recipient is
subject to unauthorised access or disclosure of information. Hence the NBD
Scheme will not only impact Australian companies, but also foreign companies
operating in Australia and accessing Australian data.
3. What does the NBD Scheme require?
The NBD Scheme requires entities to notify the Office of the
Australian Information Commissioner (OAIC) of any eligible data breach or if
there are reasonable grounds to suspect an eligible data breach.
What constitutes a breach?
An eligible data breach is any unauthorised access to or
disclosure of information that a reasonable person would conclude would be
likely to result in serious harm to any of the individual that the information
relates to. Alternatively there is an eligible data breach if the information
is lost in circumstances where unauthorised access to or unauthorised
disclosure of the information is likely to occur and if it were to be disclosed
or used without authorisation, would be likely to result in serious harm to any
of the individuals that the information relates to.
If there are reasonable grounds to suspect there was or may
be an eligible data breach, then the entity must carry out a reasonable and
expeditious assessment of whether there are reasonable grounds to believe that
the relevant circumstances amount to a breach within 30 days.
How do we respond?
Upon the entity becoming aware that there are reasonable
grounds to suspect a data breach, the entity must prepare a statement setting
out its identity and contact details; a description of the eligible data
breach; the kinds of information concerned and recommendations individuals
should take in response to the eligible data breach. This statement must be
provided to the OAIC as soon as practicable after the entity becomes aware of
the potential breach.
The entity must then notify the individuals to whom the
relevant information either relates or risks from the eligible data breach as
to the contents of the statement. If it is impractical to notify the affected
individuals of the contents of the statement, the entity must publish a copy of
the statement on its website and take reasonable steps to publicise the
Repeated or serious failure to comply with the Act risks
civil penalties of up to $360,000 AUD for individuals and $1.8 million AUD for
4. What should we do now?
The best thing is for entities to try to prevent data
breaches before they occur, and develop strategies for if any do eventuate.
The Australian Signals Directorate suggests the following
four strategies to limit the extent of data incidents and recover data:
- Restrict administrative privileges;
- Patch operating systems;
- Multi-factor authentication; and
- Daily backup of important data.
There are a number of exceptions available to entities under
the Act. Relevantly, an eligible data breach will be deemed to have not
occurred if: after the breach, the entity takes remedial action before any
serious harm is caused to the individuals to whom the information relates. Consequently,
entities should prepare for how they will manage data breaches if they do occur
to prevent further harm from being caused.
5. Future Uncertainties and Concerns
The nature of any new Act is that it is uncertain how it
will operate in reality. It is unclear under the Act what will constitute "as
soon as practicable" and whether the Commissioner will be lenient with how long
entities have to prepare the statements and inform the customers of any data
breaches. Consequently, entities should endeavour to take immediate action if
any data breaches are suspected.
Entities should also consider the new, potentially onerous
obligations that will be imposed by the new scheme. In reality entities will
need to be considering how to prevent breaches and continuously monitor their
systems for any vulnerabilities and risks of breaches. Part of the first hurdle
in combating cyber breaches is becoming aware of the breaches in the first
Entities should also get prepared for any incidental issues
that may arise after the scheme begins operating; for example how to manage the
publicity of a data breach within an entity and whether entities will be open
to liability for breaches of confidentiality provisions and agreements.
We have three months to get prepared before the scheme
commences. It's time to talk to your IT and cyber security specialists and
speak to Integra about you privacy and cyber security rights and obligations.