What You Really Need to Know About the Mandatory Data Breach Notification Law
A fool-proof compliance guide for Australian business professionals in all industries
In February of this year, the Mandatory Data Breach Notification Law went into effect. However, even though the date has come and gone, many professionals are still trying to get a handle on what’s required of them. Since data storage and security are fundamental responsibilities for all modern companies, strategic business professionals are eager to better understand the new law.
That’s why, we’re on a mission to create a clear and easy guide outlining this new law. That way, our clients and other Australian business professionals will understand exactly what’s expected of them and can implement strategies to ensure compliance with the new regulatory mandates. So, let’s dive in and review the top questions you and your organisation should be considering in order to maintain compliance.
- What is the Mandatory Data Breach Notification Law?
As of February, 22nd 2018, organisations subject to the 1988 Privacy Act are required to report any and all ‘eligible data breaches’ that occur on their networks. Professionals are required to swiftly report the incidence of data breach to both the Office of the Australian Information Commissioner (OAIC) and any clients or individuals who may be affected by the data breach in question.
- Whose Affected by the Mandatory Data Breach Notification Law?
The Mandatory Data Breach Notification regulations apply to all government agencies and private sector entities who are mandated by the Australian Privacy Principles stipulated under the Privacy Act.
This includes large private entities and non-profit organisations that turn an annual profit of over $3 million. However, it also includes small businesses and entities that provide healthcare services, contracted services, credit reporting services and much more.
- What Constitutes a Breach?
The Mandatory Data Breach Notification Law outlines specifically what kind of data emergencies are considered a breach. According to the regulatory mandates, an eligible breach is any data security event in which:
- there is an unauthorised access to, unauthorised disclosure or loss of personal information held by you; and
- a reasonable person would believe that such access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
While the law offers this explicit definition, the scope of “serious harm” is not defined. However, its recommended that professionals air on the side of caution and consider the potentially harmful impacts of any and all data breaches that occur. After all, any data breach involving sensitive financial or personal data can definitely be understood as having serious harm on impacted victims.
However, here are some tips for trying to determine the extent of “serious harm” created by a breach:
- Evaluate the type and sensitivity of the information impacted by the breach
- Determine whether or not the data was protected and encrypted in a way that would make it intelligible or unusable to the hackers
- Consider the persons, or the kinds of persons, who have stolen, or could obtain, the information without authorisation
- The nature of the harm that could occur as a result of the breach – whether it be physical, psychological, emotional, financial or reputational
For context, here are some examples of potential data breaches that could be considered ‘eligible’ under the new law:
- a company device with customer data is stolen or lost
- a company database that warehouses personal data is hacked
- the personal information of a customer is provided to an unauthorised party by mistake
- When Are You Required to Report?
Another key piece of information business professionals should know is when exactly they’re required to report to the OIAC and potential victims. According to the mandate, organisations are required to report as soon as possible when:
- Your organisation becomes aware the eligible data breach
- Your organisation becomes aware of reasonable grounds to believe an eligible data breach has occurred
- When your organisation is directed to do so by the Commissioner
There is a clause in the regulation that stipulates the circumstances under which organisations are not required to report. The Remedial Action clause notes that in the case of breach where an entity is able to take remedial action to prevent unauthorised access to or disclosure of information, a mandatory report is not required. In these cases, entities must be able to demonstrate their ability to prevent the misuse of data that is lost or stolen or prevent any kind of serious harm from resulting.
- How are you required to report?
The Mandatory Data Breach Notification law also stipulates clear instructions on how entities are required to submit notice of an eligible breach. In the case that an organisation becomes aware of a potential data breach the entity must follow this series of reporting steps as soon as possible:
- Prepare a detailed written statement that contains:
- The entity’s contact details
- The contact details of any outsourced entities that also store affected data
- A detailed description of the data breach
- The nature and type of information concerned
- A series of steps and recommendations that impacted individuals can use to prevent harm and negative consequences as a result of the breach.
Entities must provide a copy of this statement to the OAIC as quickly possible while also taking concrete steps to share the statement contents with affected individuals by email, telephone or mail. If direct communication with affected individuals isn’t possible, the entity in question must publish this statement on its own website or publicise it some other reasonable way. While ‘as soon as possible’ may seem vague, a reasonable timeframe will depend on the time, cost and effort required to meet the notification requirements.
- What Are the Penalties for Non-Compliance?
When an entity becomes subject to a data breach, the breach itself is unlikely to result in any financial or regulatory penalty. However, a failure to report an eligible data breach is considered an interference with the privacy rights of individuals affected by the breach. Under the Privacy Act, this means that failure to notify could result in a formal complaint to the Australian Privacy Commissioner.
While company directors and managers will not be held personally liable, serious or repeated reports of non-compliance can result in organisations facing civil penalties of up to $2.1 million.
So, How Can Your Organisation Promote and Maintain Compliance?
So after reviewing all the facts – you and your team are probably wondering: how can we promote and maintain compliance with the Data Breach Notification Law? The first step is being aware and the next is knowing what to look for and when to be concerned.
According to the mandate, entities can maintain compliance by:
- knowing when a data breach has occurred
- assessing whether the data breach is an ‘eligible data breach’
- taking appropriate “remedial action” in order to prevent the risk of any serious harm arising
In addition to these ‘in-the-moment’ strategies, the OAIC also recommends that covered entities have an up-to-date data breach response plan to ensure that breaches responses are efficient and effective. In fact, the OIAC has even created a helpful guide for handling personal data and security breaches – you can find it here.
Wondering what else you and your team can be doing to stay proactive and prepared? Check out these additional tips for staying on top of the Data Breach Notification Law:
- Understand what kinds of data you’re storing and where it is kept.
- Have a data protection strategy in place that has all your data storage and security information documented.
- Have a clear understanding of the various legal and regulatory mandates with which your organisation must comply.
- Examine your existing data privacy and security policies and procedures and make sure they are adequate and strategic. Your policy documents should include a detailed and proactive breach response plan that is easy to follow and implement in the case of disaster.
- Ensure your team is aware of the regulatory mandates and offer training to help prepare them for compliance.
- Manage your data sharing policies with vendors and third-party partners to ensure that privacy clauses are clearly stipulated and understood.
- If necessary, increase or supplement your cybersecurity strategy and better implement tools to prevent data breaches.
While regulatory compliance can seem overwhelming, staying on top of data privacy and protection doesn’t have to be impossible. If your organisation is looking for strategies to increase your data protection effort, don’t hesitate to reach out to a professional IT advisor for consultation and guidance. Protecting your company and client data is critically important and insights from an industry professional can make all the difference in maintaining a secure data environment.
Did you find this article informative? We’re happy to help! If you liked this, check out these other articles we think you’ll love: