If the recent "Cabinet Files" of secret, government documents being sold through a second hand store have taught us anything, it's that sensitive documents can be sold both cheaply and easily, even when no there are no nefarious motives involved. New data breach rules in effect from 22 February 2018 place an increased onus on business to both protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
Regardless of how good your existing systems are, data breaches are a reality either through human error, mischief, or simply because those looking for ways to disrupt are often a step ahead. But it's not all about IT, there have been numerous cases of hard copy records being disposed of inappropriately, employees allowing viruses to penetrate servers after opening the wrong email, and sensitive data on USBs lost on the way home.
Who is covered by the data breach scheme?
The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act (those with an annual turnover of $3M or more). However, if your business is 'related to' a business covered by the Privacy Act, deals with health records (eg: gyms, child care, natural health providers, etc.), or a credit provider etc., then your business is also affected (see the full list). Special responsibilities also exist for the handling of tax file numbers, credit information and details contained on the Personal Property Securities Register.
What you need to do
It's important to keep in mind that complying with these new laws means more than notifying your database when something goes wrong. Organisations are required to take all reasonable steps to prevent a breach occurring in the first place, put in place the systems and procedures to identify and assess a breach, and issue a notification if a breach is likely to cause 'serious harm'.
Taking all reasonable steps – assessing risk
The Privacy Act already requires organisations to take all reasonable steps to protect personal information. The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat. For example, if you have not already, you should assess issues such as:
· How personal information flows into and out of your business. For example:
o What information do you gather (including IP data from websites)
o What information do you provide (eg: do you provide information on your clients to third parties?)
o Where private information is stored – map out what systems you use, where these systems store data (if cloud based, your data may be held in a foreign country), what level of security is provided within those systems, and what level of access each team member has (and what they should have access to for their role)
· How private information is handled by your business across its lifecycle and who has access at each stage (not just who is accessing the information for their work but who 'could' access this information)
· Possible impacts on an individuals' privacy (risk assessment)
· The policies and procedures in place to manage private information, including risk management and mitigation, whether these are adhered to, and actively managed
· The policy review process - review policies and procedures at least annually but again with the introduction of new systems and technology. Remember, you can't just have a policy sitting somewhere, it needs to be actively reinforced and adopted by team members
· Instate new project protocols for ensuring privacy where personal information is at risk
· Document everything including your reviews and procedural updates even if nothing changed. If there is ever an issue where your business's culpability is assessed, your capacity to prove that you took all reasonable steps will be important.
Not only in Australia. Does your Business have International Connections?
These days, many businesses also operate overseas or have overseas customers and you need to be aware of the data breach requirements in other countries too. Most US states have compulsory data breach requirements. Likewise the European Union, with the EU's General Data Protection Regulation (GDPR) coming into effect from 25 May 2018. If you operate through a local distributor in the European Union or have direct supply into those countries then it's likely your business will be caught by the Regulation.
Make sure you have a Plan!
These days, many businesses also operate overseas or have overseas customers and you need to be aware of the data breach requirements in other countries too. Most US states have compulsory data breach requirements. Likewise the European Union, with the EU's General Data Protection Regulation (GDPR) coming into effect from 25 May 2018. If you operate through a local distributor in the European Union or have direct supply into those countries then it's likely your business will be caught by the Regulation.\
When it comes to data breaches, all organisations must have a data breach response plan. The data breach plan covers the:
· Actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
· Members of your data breach response team (response team), and
· Actions the response team is expected to take.
The Office of the Australian Information Commissioner provides a sample breach response plan.
Identifying a Serious Breach
So, what is a serious breach? A breach has occurred when there is unauthorised access to or disclosure of personal information or a loss of personal information that your business holds. Whether a breach is serious is subjective but may include serious physical, psychological, emotional, financial, or reputational harm. If a breach occurs, you need to think through how that information could be used for identity theft, financial loss, threats to physical safety (for example someone's home address), job loss, humiliation or reputational damage, or workplace bullying or marginalisation.
If you suspect a breach has occurred, your business is obliged to take "reasonable" and "expeditious" action regardless of whether you think it is serious or not (you have a maximum of 30 days, but in general the first 24 hours is often the most crucial). Ignorance is not a defence. A lack of systems to identify system breaches fails the Privacy Act's requirement to take all reasonable steps to protect personal information. As soon as a breach is identified anywhere in the business, whether it is IT based or physical, steps need to be taken - even if it is simply noting that no further action is required.
If you suspect a data breach has occurred that may meet the threshold of 'likely to result in serious harm', you must conduct an assessment. Sounds simple right? But the problem for business is often that there are initially no definitive answers about the extent of a breach or its seriousness for the assessment to take place. Take the example of a retail business with an online store. Your IT department tells you that your customer database has been hacked, but can't tell you what information may have been impacted or to what degree. You don't want to alarm your customers unnecessarily but you do need to contain the damage and assess the situation quickly, not just because of the NDB scheme, but because your business's reputation is on the line.
Notifying a Breach
If a breach is assessed to potentially result in serious harm, you are obliged to advise affected individuals and the Australian Information Commissioner. You have the option to:
· Notify all individuals whose personal information is involved in the eligible data breach
· Notify only the individuals who are at likely risk of serious harm; or
· Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
You advise the Australian Information Commissioner of a serious potential breach using the Notifiable Data Breach statement - Form.
Ignorance is not a Defence. So be Informed, be Empowered and be Ready!