Data Breach Laws for Business

As from the 22nd February 2018, all organisations in Australia that are regulated by the Privacy act 1988 are subject to the requirements of the act covering a data breach. An organisation is required to notify any individuals likely to be at risk of ‘serious harm” because of a data breach, together with the Privacy Commissioner.

In understanding an organisations requirement it is highly recommended that an organisation seeks legal advice and guidance from the Australian Government Office of the Australian Information Commissioner website

 Which data breaches require notification?

The criteria is based around the term “likely to cause serious harm.”  A breach occurs when personal information is held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples:

  • A device that is lost or stolen and contains customers personal information
  • The hacking of your databases that contain personal information
  • Where personal information is supplied mistakenly to the wrong person

Organisations covered by the Act?

If your organisation turns over 3 million then you have obligations under this act.  This threshold applies to all types of organisations including Not for profit.

Note there are exceptions to the 3 million criteria and an organisation needs to seek advice as to whether they are coved by the act. If you do not turn over 3 million it does not mean you’re exempt as The Office of the Australian Information Commissioner website highlights some of the following exceptions to the 3 million threshold:

  • Entities that provide health services
  • Entities that trade in personal information
  • Credit reporting bodies
  • Employee associations registered under fair work

The above list is not exhaustive.

Assessing a data breach

  • If an entity has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies
  • In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach
  • An assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.

For example, misplacing a computer or a USB stick that contains personal information where the device can be recovered by a third party would almost certainly be an eligible data breach. (source www.rk.com.au/insights/australias -new-data-breach-notification-law-what-does-it-mean-for-you/)

What are the 4 key steps if data breach occurs?

They following information is sourced from the Office Australian information Commissioner website

  • Contain
  • Assess
  • Notify
  • Review

Contain the data breach to prevent any further compromise of personal information

Assess gather the facts and evaluating the risks including potential harm to affected individuals and where possible taking remediate any risk of harm

Notify the individuals and the commissioner as required by the act.

Review the incident identify and consider the actions that can be taken to prevent future breaches.

Do you need a response plan?

In short it is good business practice for an organisation to have a response plan. The plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It also outlines in a descriptive format of the steps an entity will take if a data breach occurs.

Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach. It is also important for staff to be aware of where they can access the data breach response plan on short notice.

You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. You can test your plan by, for example, responding to a hypothetical data breach and reviewing how your response could be made more effective.

A checklist of what the plan should cover

Source www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response

Use this list to check whether your response plan addresses relevant issues.

Information to be included

What a data breach is and how staff can identify one  Yes/No

Clear escalation procedures and reporting lines for suspected data breaches  Yes/No

Members of the data breach response team, including roles, reporting lines and responsibilities  Yes/No

Details of any external expertise that should be engaged in particular circumstances  Yes/No

How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions  Yes/No

An approach for conducting assessments  Yes/No

Processes that outline when and how individuals are notified  Yes/No

Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted  Yes/No

Processes for responding to incidents that involve another entity  Yes/No

A record-keeping policy to ensure that breaches are documented  Yes/No

Requirements under agreements with third parties such as insurance policies or service agreements  Yes/No

A strategy identifying and addressing any weaknesses in data handling that contributed to the breach  Yes/No

Regular reviewing and testing of the plan  Yes/No

A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan  Yes/No

Conclusion

This is a complex and confusing area of the law and all businesses should read widely and seek advice from the appropriate qualified personnel your legal representative.

Where does Computer Troubleshooters help you? We offer a range of services that are aimed at minimizing the risk associated with your organisation being impacted by a data breach. For more information contact your local Computer Troubleshooter on 1300 28 28 78.