New cyber-security laws which take effect on 22 February 2018 will see the introduction of mandatory reporting of data breaches in Australia. Under the new law, entities must report any data breaches or suspected breaches to the Privacy Commissioner and affected customers as soon as practicable after the breach.
What is a data breach? A data breach is any unauthorised access to or disclosure of any information held by your business that risks harm to the person to whom the information relates. The information could be about your clients, employees, suppliers and anyone else your business deals with. A data breach might happen from outside, through spyware, viruses, malware, spam emails, ransomware or internally through use of weak or default passwords.
How are breaches reported? If a breach occurs or you suspect has occurred you have 30 days report to the Privacy Commissioner with a statement describing the breach and recommended steps to help protect affected individuals.
Consequences? Repeated or serious failure to report risk penalties of up to AUD 360,000 for individuals and AUD 1.8m for corporations.
What can you do? Get prepared. Start by restricting administrator privileges and ensure regular change of passwords. Talk to your IT and cyber security specialists. Call us to better understand your cyber-security and privacy obligations.
Changes to reporting on cyber breaches will take effect as of 22 February 2018 with the proclamation of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). This Act introduces a mandatory Notifiable Data Breaches Scheme (NBD Scheme) into Australia, requiring all organisations and government agencies subject to the Privacy Act 1988 (Cth) to report all eligible data breaches to the Privacy Commissioner and affected customers as soon as practicable after the data breach.
The NBD Scheme will impact all "organisations" subject to the Australian Privacy Principles in the Privacy Act 1988 (Cth) (APP Entities) including individuals, sole traders, body corporates, partnerships, unincorporated associations and trusts that have an annual turnover of more than 3 million dollars. It will not impact registered political parties or agencies, state authorities, territory authorities or prescribed instrumentalities of a state or territory. The NBD Scheme will also bind all credit reporting bodies, credit providers and tax file number recipients.
This scheme will also cover any APP entity that discloses personal information to overseas recipients if the overseas recipient is subject to unauthorised access or disclosure of information. Hence the NBD Scheme will not only impact Australian companies, but also foreign companies operating in Australia and accessing Australian data.
The NBD Scheme requires entities to notify the Office of the Australian Information Commissioner (OAIC) of any eligible data breach or if there are reasonable grounds to suspect an eligible data breach.
What constitutes a breach?
An eligible data breach is any unauthorised access to or disclosure of information that a reasonable person would conclude would be likely to result in serious harm to any of the individual that the information relates to. Alternatively there is an eligible data breach if the information is lost in circumstances where unauthorised access to or unauthorised disclosure of the information is likely to occur and if it were to be disclosed or used without authorisation, would be likely to result in serious harm to any of the individuals that the information relates to.
If there are reasonable grounds to suspect there was or may be an eligible data breach, then the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to a breach within 30 days.
How do we respond?
Upon the entity becoming aware that there are reasonable grounds to suspect a data breach, the entity must prepare a statement setting out its identity and contact details; a description of the eligible data breach; the kinds of information concerned and recommendations individuals should take in response to the eligible data breach. This statement must be provided to the OAIC as soon as practicable after the entity becomes aware of the potential breach.
The entity must then notify the individuals to whom the relevant information either relates or risks from the eligible data breach as to the contents of the statement. If it is impractical to notify the affected individuals of the contents of the statement, the entity must publish a copy of the statement on its website and take reasonable steps to publicise the contents.
Repeated or serious failure to comply with the Act risks civil penalties of up to $360,000 AUD for individuals and $1.8 million AUD for corporations.
The best thing is for entities to try to prevent data breaches before they occur, and develop strategies for if any do eventuate.
The Australian Signals Directorate suggests the following four strategies to limit the extent of data incidents and recover data:
There are a number of exceptions available to entities under the Act. Relevantly, an eligible data breach will be deemed to have not occurred if: after the breach, the entity takes remedial action before any serious harm is caused to the individuals to whom the information relates. Consequently, entities should prepare for how they will manage data breaches if they do occur to prevent further harm from being caused.
The nature of any new Act is that it is uncertain how it will operate in reality. It is unclear under the Act what will constitute "as soon as practicable" and whether the Commissioner will be lenient with how long entities have to prepare the statements and inform the customers of any data breaches. Consequently, entities should endeavour to take immediate action if any data breaches are suspected.
Entities should also consider the new, potentially onerous obligations that will be imposed by the new scheme. In reality entities will need to be considering how to prevent breaches and continuously monitor their systems for any vulnerabilities and risks of breaches. Part of the first hurdle in combating cyber breaches is becoming aware of the breaches in the first place.
Entities should also get prepared for any incidental issues that may arise after the scheme begins operating; for example how to manage the publicity of a data breach within an entity and whether entities will be open to liability for breaches of confidentiality provisions and agreements.
We have three months to get prepared before the scheme commences. It's time to talk to your IT and cyber security specialists and speak to Integra about you privacy and cyber security rights and obligations.
