The recent passing of mandatory data breach notification laws through the senate imposes on organisations a need for increased transparency and accountability.
Australian government agencies, businesses and not-for-profit organisations with an annual turnover of more than $3 million will soon be legally obliged to disclose eligible data breaches. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has been passed by both houses of parliament and will come into effect within the next 12 months.
Unlike many other countries, Australia does not currently have a mandatory data breach notification law. Organisations could voluntarily undertake notification of data breaches, however, there has been no express requirement under the Privacy Act for them to do so.
The new bill makes it a legal requirement for organisations subject to the Privacy Act to make notification of data breaches as soon as they are aware of it. This includes organisations with an annual turnover of more than $3 million, smaller organisations in the health and education sectors covered under the Privacy Act and individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.
Eligible data breaches
Once the law is passed, if organisations have reasonable grounds to suspect that there may have been an eligible data breach, they must carry out, and complete, an assessment within 30 days. Notification of such breaches must be made to the Australian Information Commissioner and affected individuals.
An eligible data breach is one where there has been unauthorised access to, or disclosure of, personal information and there is a likely risk of serious harm to any of the affected individuals, or where personal information is lost in circumstances that are likely to give rise to unauthorised access to or disclosure. Whether an individual was at risk of “serious harm” would depend on a number of factors, such as whether the information is encrypted (and how hard that encryption would be to break) and the sensitivity of the information.
The notification to the Australian Privacy and Information Commissioner and affected individuals should contain a description of the data breach, the kind of information involved, and steps that individuals can take to respond to the security incident.
Disclosure in a timely manner can be a daunting task for many Australian businesses that are ill-equipped to detect a breach, often not finding out until months later. On average, breaches remain unnoticed for 229 days. Even then, while the company may know an intruder has accessed its systems, it might not be able to determine what, if anything, was stolen.
The need to make a potentially damaging declaration in the event of a breach is now an incentive for organisations to review their information handling processes and ensure security systems are as tight as possible. Failure to comply with the notification scheme will be deemed an interference with the privacy of an individual and penalties include fines of $360,000 for individuals and $1.8 million for organisations.