How Australian Businesses Can Rapidly Prepare for the New Data Breach Notification Laws

The deadline is rapidly approaching. You literally only have a few weeks left to bring your IT security policies and protection up to speed in light of the new data breach laws. The good news is, Australian businesses can rapidly prepare for the new data breach notification laws with Steadfast Solutions, who delivers you the widest coverage on IT solutions in Australia.

If you’re a business in the Melbourne or Brisbane areas — or, across the entirety of the Australian continent — we can help you raise your security profile and provisions to a level that acceptably meets the standards laid out by the mandatory data breach notification laws which take effect 22 February 2018.

A Brief History of the New Data Breach Notification Laws

In February 2017, the Australian Federal Parliament passed legislation to amend Australia’s privacy law to introduce a mandatory data breach notification regime. The new regime, once implemented, will require agencies and organisations subject to Australia’s Privacy Act 1988 (Cth) to notify data subjects and regulators in the event of a compliance-qualified data breach.

Mandatory notification laws have had significant repercussions in other globawl jurisdictions, introducing previously unheard of costs and consequences for companies when security events occur. With a more open and transparent approach to laws governing the handling of data comes an increased expectation from consumers and stakeholders as to the handling and security of data. In other jurisdictions, mandatory notification has resulted over time in more regulatory investigations, complaints and litigation brought by consumers and stakeholders.

Within a few years of the first data breach law in 2003, regulators began actively investigating data breach events.  Interestingly, many of the lawsuits and regulatory investigations focus on how the company responded to the breach event, contending that the company did not have a proper plan in place and/or did not notify the public of the incident quickly enough, rather than on how the breach occurred.

Australia’s new data breach notification laws will take effect from 23 February 2018 (or an earlier date as chosen by the Minister), but smart businesses are preparing now. Mandatory notification laws require organisations to carefully consider the practical issues that arise in responding to a data breach, and the unique crisis management challenges that these events can cause. They require close coordination between an organisation’s management, risk, and IT teams, as well as the internal and external legal and communications teams, to effectively and efficiently investigate, triage and manage the breach.

We’ll briefly examine the new laws, and the critical first steps Australian businesses should take in addressing these new challenges (like getting cybersecurity training for all staff, which Steadfast Solutions handles). Over the coming year, we will look more closely at different aspects of the new laws and as to how organisations can work to ensure compliance.

The New Data Breach Notification Laws at A Glance

By way of short summary, the key points to note from the new data breach notification laws are as follows:

• The notification regime will apply to all organisations which are APP entities under the Privacy Act 1988 (Cth)¹ as well as other entities including credit providers, credit reporting bodies, and file number recipients.
• The trigger for notification to the Office of the Australian Information Commissioner (OAIC) is an “eligible data breach” which means a breach where:
  • there is unauthorised access to, or unauthorised disclosure of, information; or
  • information is lost in circumstances where unauthorised access or disclosure is likely to occur; and
  • a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.
• “Harm” can include physical, psychological, emotional, and financial harm.
• Factors to be considered in determining whether a breach is likely to result in serious harm include the kind and sensitivity of the information, the security measures in place to protect the information and who is likely to have obtained the information.
• If an entity is unsure whether an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment (with a computer forensics analyst, as Steadfast Solutions can provide) and take no longer than 30 days to make this determination.
• Once it has been confirmed that an eligible data breach has occurred, an entity must:
  • prepare a prescribed statement and provide a copy to the OAIC as soon as practicable after becoming aware of the occurrence of an eligible data breach; and
  • if it is practicable to do so, take reasonable steps to notify the contents of the statement to individuals to whom the information relates, or to those at risk from the eligible data breach.  If neither option applies, the statement should be published on the organisation’s website and reasonable steps taken to publicise the contents of the statement. This must be done as soon as practicable following completion of the statement.
• There are a number of exceptions to the new data breach notification laws, which apply in particular circumstances.  These exceptions include: where remedial action is taken before harm is caused; where a data breach impacts multiple entities; where the breach is notifiable under section 75 of the My Health Records Act 2012 (Cth); where notification may prejudice enforcement related activities; or where notification is inconsistent with Government secrecy provisions.
• Failure to comply with the notification regime is considered an “interference with the privacy of an individual” under the Privacy Act 1988 (Cth) which can currently result in fines of up to AUD 1.8 million.

This “serious harm” requirement is intended to avoid the problem of excessive notifications which could arguably place an unreasonable compliance burden on regulated entities and contribute to “notification fatigue”. Assessing whether serious harm is likely to result from a breach will be a key challenge for Australian businesses under the legislation and will require entities to quickly determine the scale and type of records compromised by a security incident, to identify all of the actors who were involved in the incident, and to understand and assess how the personal information that has been compromised could be misused; for example, to commit financial fraud, identity fraud, or cause harm to individuals.

Similarly, assessing what a “reasonable person” would conclude, as to whether serious harm is “likely” will be a challenge for businesses, particularly in a cyber-breach scenario where time is of the essence.

Here, you can access OAIC guidance for the industry as to the various concepts and trigger tests under the new data breach notification laws, and we will provide additional guidance on these and other issues later in the year.

Steadfast Solutions takes care of your IT issues so you can devote your full attention to non-IT business matters with no worries or stress. Our expert IT solutions (including cybersecurity training for staff members) are implemented as custom-fit strategies that cover all your business IT and compliance requirements, and which are designed for long-range efficacy.

Preparation Begins with Knowledge

1. Know your data

Effective data management requires knowledge as to what data is captured and held within an organisation. In an age where data regularly sits across a number of systems, platforms, and mediums, it is an essential first step to consider what data you capture and hold and as to what your legal and regulatory obligations are relating to that data.

So, consider the data you collect and who it relates to, per the following questions:

• Where does the data sit in your organisation, and how it is managed – who is responsible for its collection, storage, security, and destruction?
• What information might sit in your IT systems?
• Do you need the data to be held in fully identifiable form or can it be destroyed or de-identified?

Data is no different to any other asset which must be considered, audited and assessed so as to set out an effective management strategy.

2. Incident response plan

Key to the effective management of any incident is an incident response plan. Even before the introduction of the new data breach notification laws, the OAIC expected to see a pre-prepared and considered plan being used in the management of a data breach.

The new data breach notification laws in Australia require swift action to be taken to determine if an incident is an eligible data breach and, if so, what notification to regulators and other parties is required. Now, with a 30-day timeframe within which to assess whether an incident is an ‘eligible data breach’, the need for an efficient plan is all the more apparent.

An effective plan should form part of an organisation’s broader data management and governance plan and should set out how an organisation will respond to a breach including, at a minimum:

1. How incidents are identified – who has oversight over the coalface, and how are incidents reported internally?
2. How is the response team determined and called – who plays a part in the response team and do they know their role?
3. How are incidents to be assessed as ‘eligible data breaches’ – who takes charge and how do the various internal stakeholders (legal, risk, IT, communications, etc.) work together to assess and consider the risk of harm?
4. How will cyber insurance support the organisation’s incident response (including the way notifications are to be made under the policy) and the process for providing breach response services included in the cover?
5. How are third party experts engaged – what external experts are required and are they on call?
6. How is the investigation documented – who is recording the steps taken and compiling a report, and does it need to be privileged? Here’s a recent Mondaq article on preserving privilege.
7. How is the plan tested – who is responsible for ongoing monitoring, testing and auditing of the plan?

3. Staff awareness and training

Regular staff training is key strategy organisations have adopted to minimise the risk of data breaches. Cybersecurity training should provide an overview of the risks associated with handling particular data sets, including the damage that may be caused due to any mishandling of that data, and the key steps in an organisation’s incident response plan that are relevant to the staff member.

Cybersecurity training will vary, dependent on seniority and roles within an organisation – but all levels, from those customers facing staff through to the board of directors, should be aware of the changing regime and the need to be alert to data incidents and data breaches on an ongoing basis.

As curators of sensitive information, Australian Businesses that have been breached or have lost data must report the incident to the privacy commissioner and notify their customers.

What Do the New Data Breach Notification Laws Mean for Your Business? 

The new data breach notification laws apply to organisations that have responsibilities under the Privacy Act, which includes:

• Australian Government agencies, and
• Businesses and not-for-profit organisations with an annual turnover of more than $3 million.

The privacy act also applies to certain types of Australian businesses with an annual turnover of $3 Million or less. These businesses include:

• Private sector health service providers (includes alternative medicine practices, gyms, and weight loss clinics fall into this category),
• Child care centres, private schools, and private tertiary educational institutions,
• Businesses that trade personal information,
• Credit reporting bodies, and
• Individuals who handle personal information under the mandatory retention scheme.

[Source credit: Commonwealth of Australia Explanatory Memoranda, Mondaq.com]

Don’t Wait! Prepare Now for the New Data Breach Notification Laws with the Right IT Solutions

The New Data Breach Notification Laws become effective on 22 February 2018. C-Level Executives, medium and large enterprises, and small business owners across Australian businesses can rapidly prepare now for the new data breach notification laws and optimize their Business Continuity and Cybersecurity Strategy (including workable cybersecurity training) by calling or emailing a Steadfast Solutions agent at (National) 1 300 659 508, IDD: +61 3 9785 4444, or hello@steadfastsolutions.com.au for a comprehensive consultation.