Mandatory Data Breach Notification Laws Take Effect on 22 February 2018
Updated: Feb 11, 2018
The New Laws
On 13 February 2017, the Australian senate passed new laws that will require businesses who are covered by the Privacy Act (1988) - APP Entities - to notify the Privacy Commissioner and their customers if they have experienced a data breach.
The Notifiable Data Breaches scheme (NDB) takes effect within Australia from Thursday, 22 February 2018.
The Australian Privacy Act will be amended to reflect these new laws. However, for businesses covered by the requirements of the Privacy Act the most important question is - what does the law change mean for me?
In short, the new laws means businesses that identify or reasonably suspect they have been unlawfully breached or have lost private data are legally required to report the incident to the Office of the Australian Information Commissioner (OAIC) In addition, the compromised business may be required to formally notify affected customers through a statement (or other communication such as a phone call, email etc) that outlines the description and nature of the data breach, the type of information affected, and how customers should respond to, and remediate, the effects of the breach.
If this notification has not been completed within a reasonable time period, the law also gives the Privacy Commissioner the ability to direct a business to issue such a statement.
On the ABC’s website, Mr Nigel Phair, the director for internet safety at the University of Canberra, fears too many Australian businesses will be caught out. "When you look at the organisations I talk to, they all think, 'Well, we won't get hacked so why would we put any investment or any effort into being prepared?'" he said.
Mr Phair said the businesses he was most concerned about were the smaller to medium-sized organisations. "The bigger you get, there is generally a more preparedness to invest in cyber security measures," he said. "Unfortunately, the smaller you get, they don't see the value proposition, and subsequently the reason to be prepared."
What constitutes a data breach?
The new laws consider an eligible data breach to have occurred when there is unauthorised access, disclosure or loss of customer information which generates a real risk of serious harm to the individuals concerned. Serious harm could include physical, psychological, emotional, economic or financial harm, as well as harm to reputation.
This can occur via a malicious online attack (cyber security incident) be human based (documents accessed without permission by a third-party) or through loss or mishandling of private data (lost hard drive or computer, and hard copy documents in the rubbish) Such information includes personal details, credit reporting information, health information, and tax file numbers.
These amendments have been several years in the making and will be well received by members of the public who are becoming increasingly concerned about their privacy and expect that companies that hold their personal information are taking adequate measures to ensure its security.
Moreover, mandatory notification will now give affected individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information - such as cancelling of credit cards, changing passwords and closer scrutiny of bank statements for fraudulent transactions.
Are You Ready?
The OAIC currently operates a voluntary data breach notification scheme and has published various resources to assist APP Entities with their handling of data breaches. Much of that guidance will assist APP Entities in ensuring that they comply with the scheme.
However, further steps are likely to be necessary in order to ensure that your organisation understands the impact of the scheme and to make the necessary preparations for its introduction.
We offer client-specific services aimed at ensuring that businesses covered by the the Privacy Act are compliant with the OAIC's "reasonable steps" requirements and able to respond effectively to an information data breach.