Since February 22, Australian companies will now need to notify the regulator and affected individuals in the event of a serious personal data breach. Whether it is the result of a cyber attack or just human error on the part of an employee, data breaches in Australia are about to get more expensive.
Even before the introduction of the mandatory notification scheme, data breach notifications were already on the rise in Australia. The latest figures from the Office of the Australian Information Commissioner (OAIC) show a 29% rise in voluntary notifications to 114 incidents and 119% increase in mandatory notifications for health data breaches to 35 incidents.
Recent years have seen many companies admit data breaches, including the Australian Broadcasting Corporation, retailers Kmart Australia, David Jones and Big W, and online classifieds site Gumtree Australia. One of the largest breaches was the 2016 accidental release of private information of half a million people by the Australian Red Cross Blood Service.
According to an OAIC survey, more than two-thirds of Australians are more concerned about their online privacy now than just five years ago. Some 83% say that online environments are inherently risky to their privacy while over half have walked away from a business due to privacy concerns.
Up until February, only health companies were required to notify the regulator of a data breach, although the OAIC ran a voluntary data breach notification scheme that allowed businesses to self-report. However, under Australia’s new Notifiable Data Breaches (NDB) scheme, organisations with a turnover in excess of AUD 3 million are subject to a mandatory notification scheme with effect from 22 February 2018.
The NDB scheme requires businesses and government agencies covered by Australia’s Privacy Act to notify affected individuals of an “eligible” data breach, should that breach pose a risk of causing “serious harm”. Although not defined, serious harm includes serious physical, psychological, emotional, financial, or reputational harm. Organisations are also required to notify the regulator of an eligible breach.
Once a data breach has been identified, the organisation must carry out a “reasonable and expeditious” assessment, although they have up to 30 days to conduct the assessment if they are unsure it meets the criteria for notification.
The scheme gives organisations the opportunity to take steps to address a data breach. If an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify individuals.
However, if a risk of serious harm is determined, then the organisation must “promptly” notify individuals to give them an opportunity to mitigate the risks. This notification must include:
- The identity and contact details of the organisation
- A description of the data breach and information exposed
- Recommendations about the steps individuals should take in response to the data breach.
The OAIC says that organisations should also prepare (or update) a data breach response plan to ensure they are able to respond quickly to suspected data breaches, and conduct an assessment as required under the NDB scheme. The Commissioner has published guides on handling a data breach and on preparing a data breach response plan. It has also published guidance on exactly who is covered by the regime, what constitutes an eligible data breach and the requirements for notifying individuals about a data breach.
Failure to notify the OAIC of an eligible data breach can result in civil penalties. For serious breaches or repeated failure to disclose, an organisation will face fines of up to AUD 2.1 million.
In a recent speech, Australian Information Commissioner, Timothy Pilgrim, said that the NDB scheme should promote greater accountability for personal information and better personal information security across industries.
In addition to the NDB, Australia is ramping up its data protection regime with a new Privacy Code for government agencies, which takes effect from 1 July 2018. The Australian Government Agencies Privacy Code sets out specific requirements and key practical steps that government agencies must take to achieve a best practice approach to privacy governance.
The OAIC warned agencies that, if they are not already implementing best practice, there will be some substantial work ahead. Requirements include the need to appoint a Privacy Officer, a Privacy Champion to provide leadership, as well as requirements to have a privacy management plan and undertake a written privacy impact assessment.
The OAIC sees the developments in privacy regulation in the context of developments in other parts of the world, in particular Europe and Asia where privacy regimes are being strengthened.
For example, Australian organisations that trade with the EU and handle personal data on EU citizens will be subject to the General Data Protection Regulations (GDPR), which will take effect in May 2018. The GDPR introduces mandatory notification requirements in the EU, as well as new rights for consumers and increased powers for regulators.
The Australian Information Commissioner says that the GDPR and Australia’s privacy regulations have many similarities, such as the requirement to appoint a data protection officer and to conduct data protection impact assessments, as well as mandatory notification requirements. “These requirements follow a trajectory of privacy regulation that we are seeing unfold across the world,” according to the Commissioner.
The NDB is expected to increase the cost of data breaches in Australia, as was the case when mandatory notification requirements were implemented in the US. According to the Ponemon Institute the average total cost of a data breach in Australia is currently around AUD 2.5 million, or AUD 139 per stolen record.
The legislation has already raised awareness of the need for cyber risk insurance, which has become the fastest growing commercial segment of Australia’s insurance market.
Download Cyber Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org