Security | November 23, 2017
Mandatory Breach Notifications
To better protect the privacy of Australians and improve corporate compliance and cyber security, the government is introducing Mandatory Breach Notifications (MDBN) to the Privacy Act on the 22 feb 2018.
To help you understand what the policy is (instead of reading the amendment) we have compiled an informative overview.
The information has been provided as a guide only and does contain our opinions on some points (written in blue). If you want to read it, the act it is here https://www.legislation.gov.au/Details/C2017A00012
This new policy amendment relates only to “personal” information:
Defined as “information or an opinion about an identified individual or an individual who is reasonably identifiable”. This specifically includes telco meta data, tax file numbers, credit information, genetic information, biometric information used for verification or identification and biometric templates.
Information about companies, assets and transactions will not be covered if not associated with an individual.
Who it effects
It is important that every company takes due care of personal information and take such steps that are reasonable in the circumstances to protect the information:
From the misuse, interference and loss and unauthorised access, modification or disclosure..
This only applies to businesses with $3m plus turnover and it doesn’t affect small businesses that have a turnover of less than $3m unless you are in the health care industry and subject to the My Health Records ACT 2012
You can also be affected by other companies, if you have provided data to an outsourced company and they sustain an eligible data breach, you must notify.
It is important that you conduct due diligence on the outsourced service provider.
What is an eligible data breach (EDB)?
An eligible data breach (one that must be reported) arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- this is likely to result in serious harm to one or more individuals; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action
Unauthorised access (doesn’t have to necessarily be downloaded, just accessed) to or disclosure of information where a reasonable person would conclude the access or disclosure would result in serious harm to the data subject.
Loss of information in circumstances where unauthorised access or disclosure is likely to occur and, assuming unauthorised access or disclosure takes place… a reasonable person would conclude the access or disclosure would be likely to result in serious harm to the data subject..
Matters relevant to whether serious harm is likely
- The sensitivity of the information
- Whether the information is protected by security
- Whether security measures might be overcome
- Whether a security technology or methodology was used and the likely hood it might be circumvented
- The person or kinds of person who have obtained the information
- The nature of the harm
Even if your email address book is leaked, it is considered a breach. Anything personal about someone that has potential for loss or stress can be seen to cause harm.
The more data breached, the higher the likelihood of serious harm, and the likelihood of it being an eligible breach.
The obligation to investigate
If an entity is “aware that there are reasonable grounds to suspect that there may have been an eligible data breach but is not aware that there is fact is an eligible data breach” then:
- The entity must carry out a reasonable and expeditious assessment of whether an eligible breach has occurred; and
- Take all reasonable steps to ensure the assessment is completed within 30 days.
This means even if you suspect a breach, you legally have to investigate.
The investigation must be completed by suitably qualified personnel.
The investigation also applies to an eligible data breach of one or more entities, however only one entity has to notify. This also applies to partners and or contractors you have provided data to.
Remedial action taken after unauthorised access or disclosure
If there has been a breach and action is taken before serious harm to any data subject occurs, you don’t have to report.
For example if user account details are leaked, you could en mass delete those account and request that clients create a new account and password.
However, if the action taken only remedies part of the data subject, you must still report, but only for the affected data subjects.
The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued and respected
Notification to the Privacy Commissioner
If you have an eligible data breach (EDB), you must as soon as practicable after becoming aware prepare a statement that contains:
- Identity and contact details
- A description of the relevant data breach
- The kind or kinds of information concerned
- Recommended steps by the data subject
- If applicable, identity and contact details of other identities that might be involved
This statement is different from what you need to prepare to give to affected parties.
As soon as practicable after preparing the statement to the Commissioner:
- If practicable, notify the contents of the statement to each data subject to whom the information relates; or
- If practicable, notify the contents of the statement to each data subject at risk (you may not want to notify everyone) from the data breach; or
- If those aren’t practicable, publish a copy of the statement notice on your website and publicise the contents of the notice
If an eligible data breach affects multiple entities, only one entity has to notify (typically the owner of the data), SOMEONE MUST DO IT THOUGH!
If you don’t notify
The power to direct notification arises if the Commissioner believes there are reasonable grounds to believe there is an EDB. The direction may include a requirement to prepare a statement, to provide the statement to the Commissioner and to take steps to notify the individuals to whom the relevant information relates. The direction can specify the information about the eligible data breach that must be included the statement.
The direction could result if they think it required, even if you don’t. You need to be sure you are in the clear if you were breached and remediate.
Exceptions to notify
An exception can be granted on application if the Privacy Commissioner believes it is reasonable in the circumstances to do so. For example, if you have already notified affected parties and there is no serious harm, the direction to notify may cause more harm.
An exception also applies:
- To law enforcement bodies if the CEO believes it may prejudice one or more enforcement activities
- If the notification is inconsistent with Commonwealth secrecy provisions
- If the data breach must be notified under section 75 of the My Health Records ACT 2012
Enforcement and Penalties
- Investigations and publications of results, binding determinations (including compensation) and enforceable undertakings.
- Failure to comply with privacy of an individual, resulting in a maximum civil penalty of $340,000 for 2000 penalty units ($170 per item breached).
- Maximum x5 for bodies corporate ($1.7m)
Please note that the Commissioner is looking for compliance over having to fine people. Repeat offenders will be subject to more enforceable undertakings like regular audits and increased regulation.
The OAIC has some great guides to follow and get more information on how to prepare your business:
If you need guidance to help your business prepare for this amendment or to understand your risks please get in contact with us. We have a specialist team to can assist you.