Data Breach Reporting
New laws in 2018... but are you ready?
Australian businesses must report data breaches or face fines up to $1.8M. This mandatory reporting regime comes into effect from 23 February 2018.
You wisely invested in cyber security and cloud solutions. But what’s your plan of attack for data breaches?
Stay ahead of the curve. Learn the new laws. Avoid fines.
Who must comply?
Just about every business who is subject to the Privacy Act.
- Companies, partnerships, charities, trusts or unincorporated associations with an annual turnover above $3 million;
- health service providers;
- credit reporting bodies.
Many reasons (not just the ethical ones):
- avoid your business being fined up to $1.8M;
- avoid losing your job because you were responsible for a $1.8M fine;
- personal fines of up to $360,000;
- the PR disaster when the truth comes out.
What are the new laws?
The new laws1 amend the Privacy Act and introduce a regime of “mandatory data breach notification”.
In our view, the new laws are a step in the right direction. However, they are not a very practical guide for business. For example, the term “serious harm” is a key term in the legislation, was used by Attorney-General George Brandis 67 times in the explanatory memorandum, and yet there is no definition in the new laws.
The “simplified outline” in the new law is:
“An eligible data breach happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.”
So what does that mean? Simply put, if your business has a data breach and there is a possibility that the information could be exploited, you must report it to the Office of the Australian Information Commissioner (OAIC) or face getting fined.
Breaches of the new laws carry a maximum penalty of $360,000 for individuals and $1,800,000 for companies.
Why did they change the law?
Because the annual cost of identity crime in Australia is $2.2b2.
Businesses hold more personal information than ever before. According to the Australian Law Reform Commission, this increases the risk of identity fraud and identity theft3.
On a daily basis, your clients submit personal details including their full name, address or banking details – leaving fingerprints throughout cyberspace.
The purpose of the new laws is to ensure that incidents are promptly disclosed and contained. After all, if it was your personal data being leaked, you would want to know.
How do breaches occur?
Data breaches are not limited to cyber-attacks. Human error is often the cause, such as an employee leaving a company smartphone on a train or passwords on a post-it note.
We have compared two recent high-profile responses to data breaches:
|Australian Red Cross Blood Service ✔||Domino’s Pizza ✖|
|When the breach ocurred:||October 2016||Around September 2017|
|Time taken to report breach:||Within 24 hours||Unclear – an undated statement was published in the “media” section of Domino’s website in October 2017.|
|Data accessed:||Names, addresses, birthdates and “at-risk sexual behaviour” of around 550,000 blood donors.||Customers’ names, email addresses, and their location based on their nearest Domino’s store.|
|How it happened:||The Blood Service had engaged a contractor to develop and maintain their website and security.
Unsecured personal data was posted on a website by a contractor, “due to human error”4
|The data breach allegedly occurred as a result of a “former supplier’s systems” leaking customers’ personal data.5
Affected customers received unsolicited personalised emails which included their names and reference to their suburb. Some emails allegedly included links to spam material.
|How people were notified:||The Australian Cyber Security Centre and the Australia Federal Police (AFP) were promptly informed. A public statement was made, donors were notified by text and email, and a hotline was set up to answer any queries or concerns.||Customers initially found out about the breach after affected customers commented on social media6 that they had received phishing emails.
Domino’s published an undated statement on its website which was not visible on its homepage.7
|OAIC’s response:||“Australians can be assured by how the Red Cross Blood Service responded to this event.”8
The Blood Service had enhanced its information handling practices and no further recommendations were made.
|The OAIC has allegedly been notified of the breach.|
|Compliant under the new laws?||Yes||Unlikely|
Gone are the days when companies can opt for silence when a data breach occurs.
Greater Delay = Greater Cost
Importantly, the greater the delay in reporting the breach, the greater the cost in cleaning it up.
In 2017, IBM and the Ponemon Institute surveyed 25 Australian companies and reported that:
- average cost of data breach: $2.51M;9
- a hacker attack is costlier than human error;
- greater delay = greater cost;
- identify breach within 100 days: $1.96M;
- identify breach after 100 days: $3M;
- contain breach within 100 days: $2.24M;
- contain breach after 100 days: $2.78M.
How to comply:
- CHECK if the new laws apply to your business;
- UPDATE your physical and cyber security;
- REVIEW your policies (collection notices, privacy policies, record retention and security)
your service delivery partners (offsite data storage providers);
your cyber insurance
- EDUCATE your employees;
- DOCUMENT a response plan (staff manual)
1 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)