8th February, 2018

Notifiable Data Breaches legislation: Everything you need to know, and how to be prepared

Whether it’s your customer lists, customer preferences, patient medical records or client financials, personal information and data is the lifeblood of any organisation. Effective 22nd February 2018, organisations that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Data Breach Notifications will introduce new costs and consequences for companies when an incident occurs, with IBM’s Cost of Data Breach Study in Australia for 2017 noting the average cost of a data breach is $139 per compromised record. This figure represents expenses incurred including the value of lost customers, size and number of records lost or stolen, costs incurred in identification and containment, forensic investigation expenses, crisis management, costs in responding to concerned clients, and dealing with government investigations.

Furthermore, failure to comply with the breach notification requirements will leave individuals and organisations open to fines and penalties, with the maximum currently $360,000 for individuals and $2.1 million of organisations.

So what is the Notifiable Data Breaches Scheme, and how will it apply to your business?


What is the Notifiable Data Breaches Scheme?

Effective 22nd February 2018, the Notifiable Data Breach scheme will become live in Australia. The scheme will place an obligation on eligible entities to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.


Who does the scheme apply to?

The scheme will apply to all agencies and organisations with existing personal information security obligations under the Privacy Act (1998). This will include, but is not limited to the following types of entities:

  • Any Health Service Providers
  • Organisations that handle health data
  • Businesses with turnover greater than $3 million
  • Not for profit organisations
  • Child Care Providers
  • Education Providers
  • Australian Government Entities
  • Businesses that trade in personal information – including entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else
  • Businesses and individuals who handle personal information (including Tax File Numbers)

Businesses that handle tax file numbers, including employee records, are subject to the scheme to the extent the information is involved in a data breach.


What is considered a Data Breach?

An eligible breach will be considered to have occurred if the following is met:

There is unauthorised access to, or unauthorised disclosure of, information
Information is lost in circumstances where unauthorised access or disclosure is likely to occur
A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.

In relation to the scope of “serious harm”, the explanatory memorandum included with the act suggests it could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.

Information which could be considered subject to the act include:

  • Information about an individual’s health
  • Documents commonly used for identity fraud including:
    • Medicare card
    • Driver’s Licence
    • Passport Details
  • Financial Information
  • Combinations of different types of personal information that allows more to be known about an individuals can cause serious harm.

Some examples of a data breach include when:

  • A device or document containing customer’s personal information is lost or stolen.
  • A database containing personal information is hacked.
  • Personal information is mistakenly provided to the wrong person.
  • Unauthorised access of client data by staff.

The scheme does provide a business with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed. An example may include locking down a laptop or mobile phone in the event it has been lost, and prior to any unauthorised access occurring.


Steps to follow when a breach occurs

As a business, if you have reasonable grounds to suspect an eligible data breach has occurred, must notify the affected individual/s and Office of the Australian Information Commissioner (OAIC).

Notifying the OIAC is completed by submitting the Notifiable Data Breach statement – Form which can be found here. Information which would need to be submitted include the following:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

With respect to notifying the individuals involved, you must take steps that are reasonable in the circumstances to notify the individuals about the contents of the Data Breach Statement. When considering reasonableness, an organisation must take into account the likelihood that the people it is notifying will become aware of, and understand the notification.
The Australian Red Cross is a recent example of a recent Data Breach, whereby approximately 550,000 records were made public. The OAIC commend the Red Cross for their response to the circumstances, as well as promptly notifying their customers. Further information on the Breach can be found here.

If you are unable to determine if an eligible breach has occurred within your business, The Act allows for up to thirty (30) days to conduct an expeditious assessment. Throughout the assessment, should you discover it was likely an eligible breach has occurred, you will be required to notify the individuals involved immediately, prior to the conclusion of the investigation.


How to be prepared

To ensure your business does not fall foul of the new legislation, we suggest consideration be given to the following risk management strategies:

  • Review your practices and procedures to ensure that your obligations under the legislation can be met in the event of a data breach.
  • Prepare a response plan, or amend your current plan, to allow for a quick and efficient response to any suspected or actual data breaches.
  • Review their business’ contracts with service providers and third parties to ensure that each party is aware of its responsibilities in respect of the notification scheme is understood.
  • Ensure you are familiar with what data you have, where it is kept, and who has access to it.
  • Review and strengthen cybersecurity strategies.
  • Ensure staff training occurs regularly, and is constantly being updated.


How can Bruce Insurance help you comply with your data breach obligations?

We work with you to develop and implement an insurance program and risk strategies to minimise your risk. Should a breach occur, we are ready to work with you by providing protecting your business, your balance sheet and your reputation by ensuring there is a prompt response to the situation, as well as liaising with your insurer to gain access to the professionals required to manage, contain and control the situation.


Article written by Michael Verbunt, Bruce Insurance, Account Manager

Author: Murray Bruce