Data breach legal obligations
Read on to find out what your legal obligations may be under the Notifiable Data Breach Scheme where you find yourself subjected to a data breach.
Understanding your data breach legal obligations are more important than ever. According to global cybersecurity company, Kaspersky’s real-time cyberthreat map, Australia is the 30th most cyber-attacked country in the world. In fact, the Australian Cyber Security Centre (ACSC) reports an average 164 cybercrime reports are made by Australians every day! Attacks on businesses make up a significant portion of this and bring with them major reputational, financial and legal risks.
This is particular true since the introduction of the Notifiable Data Breach Scheme (NDB Scheme) in February 2018. The NDB Scheme places an obligation on entities covered by the Privacy Act 1988 (Cth) (Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where they experience an Eligible Data Breach.
There are significant consequences for failing to comply with the NDB Scheme, including potential fines of up to $440,000 for serious contraventions. That’s why it’s vital to have a clear understanding of your data breach legal obligations and know how to respond if you are subjected to a data breach.
Even putting legal compliance aside, there are the reputational risks to consider which are involved with a data breach. People are generally aware of the prevalence of security incidences, therefore, your reputation may be more affected not by the fact that you were subjected to a data breach, but by how you responded to it. Think of a data breach as an opportunity to show how seriously you take the protection of personal information and evidence how you promptly and effectively resolve issues. Having a Data Breach Response Plan and/or a Privacy Policy in place is a valuable first steps towards demonstrating good corporate citizenship.
Get one step closer to being prepared for data breach by contacting us for a free copy of our Data Breach Response Plan.
Data breach legal obligations: What are they?
So what are your obligations under the NDB Scheme?
The NDB Scheme only applies to what are known as “APP Entities” which are entities covered by the Privacy Act. Determining whether your business falls within this definition is not always straightforward and it may be beneficial to engage a Privacy Lawyer to help you in clarifying this.
A data breach occurs when personal information an entity holds is lost or subjected to unauthorised access or disclosure. A data breach is considered an Eligible Data Breach under section 26WE of the Privacy Act where it is likely to result in serious harm to an individual whose personal information is involved.
Under section 26WH of the Privacy Act, it is a requirement of APP Entities to conduct an assessment where they are aware of reasonable grounds to suspect that they may have been subject to an Eligible Data Breach but aren’t yet aware of reasonable grounds to believe that they have been actually subject to an Eligible Data Breach. Under such circumstances an APP Entity must “carry out a reasonable and expeditious assessment” of whether the data breach amounts to an Eligible Date Breach and take all reasonable steps to ensure that this assessment is completed within 30 days after the entity becomes aware of the reasonable grounds to suspect.
Determining whether a data breach is an Eligible Data Breach is often complicated and requires an in-depth understanding of a number of legal concepts and a forensic assessment of IT systems. Therefore, it is advisable when facing a potential Eligible Data Breach to engage professionals (such as lawyers and forensic IT specialists) to assist in the process and determining your data breach legal obligations.
Data breach legal obligations: What is an Eligible Data Breach?
It is important to understand the broad applicability of your data breach legal obligations.
An Eligible Data Breach arises, pursuant to section 26WE of the Privacy Act, where there is some form of unauthorised access or disclosure of personal information or where the personal information is lost. Therefore, there are a number of circumstances which can amount to an Eligible Data Breach from a proactive malware attack on your critical systems to a staff member leaving a company device on a bus.
There are, however, a few exceptions where despite a data breach amounting to an Eligible Data Breach, an APP Entity may not be required to consider it as an Eligible Data Breach and does not have to make the necessary notifications.
For example, under section 26WF of the Privacy Act where certain remedial action has been taken such that a reasonable person would conclude that the data breach would not be likely to result in serious harm to any affected individuals, a data breach may not be considered to be an Eligible Data Breach.
Understanding whether your data breach is in fact an Eligible Data Breach is vital to determining what your data breach legal obligations are.
Our Data Breach Response Plan includes an assessment report to help you gather some of the necessary information to help you determine whether you have been subjected to an Eligible Data Breach.
Data breach legal obligations: How do I respond to a potential Eligible Data Breach?
The OAIC provides a number of useful resources on how to appropriately respond to an Eligible Data Breach.
The OAIC states that entities which experience a data breach should undertake the following four steps:
- Step 1 - Contain the data breach to prevent any further compromise of personal information.
- Step 2 - Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
- Step 3 - Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
- Step 4 - Review the incident and consider what actions can be taken to prevent future breaches.
These steps have not been outlined by the OAIC in any order of priority or do they need to be undertaken chronologically. In fact, the OAIC recommends that steps 1-3 are undertaken either simultaneously or in quick succession.
It is important to note that when undertaking an assessment of a data breach, it may be ascertained that an individual should be notified prior to a formal notification statement being drafted. This could be due to the sensitivity of the personal information involved or the potential harm which may occur. This may be needed, for example, where a person’s credit card information or government identifier may have been compromised.
Our Data Breach Response Plan includes a framework to assist you in responding to a potential Eligible Data Breach effectively and efficiently.
Data breach legal obligations: What do I do if I am subjected to an Eligible Data Breach?
The key data breach legal obligation to understand is an APP Entity’s requirement to notify under section 26WK of the Privacy Act when they are aware that there are “reasonable grounds to believe that there has been an eligible data breach of the entity”. At this point, an APP Entity must, as soon as practicable, prepare a notification statement and provide a copy of that statement to the OAIC. Drafting this statement correctly is vital as there are specific legal requirements in section 26WK of what must be included in this statement.
Under section 26WL, the entity must then provide that statement to relevant individuals. The relevant individuals an APP Entity is required to notify are dependent upon a number of circumstances which are outlined in section 26WL of the Privacy Act. There are also requirements under this section of how individuals are notified and also that this must be done “as soon as practicable” after the preparation of the statement.
Our Data Breach Response Plan includes useful resources on helping you determine what to include in your notification statement, which affected individuals to provide it to and how you should notify them.
Data breach legal obligations: How do I prepare for a potential Eligible Data Breach?
You may have guessed by now that one of the important components in preparing for a potential Eligible Data Breach, mitigating risk and working towards complying with your data breach legal obligations, is to have in place a Data Breach Response Plan.
We here at IT and Startup Lawyers believe that having a Data Breach Response Plan in place is too important to not have, so we’ve decided to freely share our framework with you. Simply contact us and we'll send you a copy!
However, it is important to understand that this plan is not definitive. There is no single method of responding to a data breach as they can be complex and must be dealt with on a case-by-case basis. It is also important to note that this plan is provided as a framework into which you should actively incorporate any relevant business knowledge and processes. It should not be considered a static document and should be reviewed and tested regularly.
Finally, this plan doesn’t cover the technical elements of responding to a data breach (i.e. containing a breach and preventing a compromise of personal information) which are best handled by cyber security specialists.
We hope this page and our plan has helped you towards understanding your data breach legal obligations. If you have any further questions regarding the NDB Scheme or privacy law in general, please feel free to call us for an obligation-free discussion.
