Many professional groups and associations are beginning to advise their members of the upcoming regulation changes which are going to impact the way businesses approach data and security.
As of February 22 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 will commence for Australian organisations. The amendment to the privacy act has been long overdue and will require organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.
Data breach notification laws have been in the US since 2002 and have slowly been adopted by most states since inception. Europe has also passed the General Data Protection Regulation(GDPR) which was designed to harmonize data privacy laws across Europe. The updated regulation will be enforced from 25 May 2018 at which time organisations in non-compliance will face heavy fines.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- this is likely to result in serious harm to one or more individuals and
- the entity has not been able to prevent the likely risk of serious harm with remedial action
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
What is the Notifiable Data Breaches Scheme?
The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
Investigating whether a notifiable data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach. For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner must also be notified. Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC. There are also exceptions to notifying in certain circumstances.
What happens if your IT services provider or other third party with access to your network suffers an attack or data breach which allows your data to be exposed?
The legislation says that if more than one entity holds the same personal records, a breach at one could constitute a breach at the other. However it also considers that both organisations have complied with their notifiable data breach scheme obligations if only one notifies. Organisations are also allowed to decide amongst themselves which will be responsible for the reporting.
For more information about assessing a suspected data breach, please visit the OAIC Assessing a breach page.
For more information about notifying individuals about a breach, please visit the OAIC notifying individuals page.
How does cyber insurance fit into the upcoming notifiable data breach changes? Cyber insurance policies are designed to assist a business or organisation with incident mitigation following an attack or breach using various resources and financial compensation. The majority of cyber insurers provide 24/7 incident response hotlines to assist businesses as soon as the incident is discovered with specialist vendors available for overall damage control.
Benefits of a cyber insurance policy include;
- Access to the insurers response team
- Assistance investigating and resolving data security
- Privacy commissioner investigation costs
- Cover for civil regulatory fines & penalties
- The insurer can advise on the obligation to notify and draft the notification
- Legal & public relations support
- Customer notification and credit monitoring costs cover
- Cover for impacts to profits & increased costs of working
Points to think about before 22 February 2018;
- Review existing insurance policies for cyber exclusions and limits of cover
- Arrange and test a business continuity plan which specifically addresses a cyber attack or breach
- Draft a data breach notification plan
- Review contract management and ensure that due diligence is done on contractors’ policies, particularly in the areas of IT security and personal information storage and collection
- Only collect and store personal information if it is necessary
- Test and ensure information security procedures for effectiveness
Contact Cyber Insurance Australia today for a free review of your existing insurance policies or to get a competitive quote.
More information and resources:
Other articles you might be interested in: