Cybersecurity and notifiable data breach obligations – make sure you have a plan
Posted on May 27, 2021
In the modern age, malicious or criminal cyber-attacks on businesses are fast becoming the leading cause of data breaches notified to the Office of the Australian Information Commissioner (OAIC).
Just this week, Air India admitted to a massive breach that compromised the personal data of about 4.5 million passengers. The breach affected customers who flew with the airline between August 2011 and February 2021. Compromised data included customer names, dates of birth, contact information, passport information, and frequent flyer data. Also included was credit card information, although CVV/CVC numbers were not included. The airline has notified all affected customers and is currently helping them to remedy the harm resulting from the breach. (Password changes are the first measure.)
Data breaches usually occur when a cyber-criminal or ‘hacker’ gains unauthorised access to a computer network or email account with the aim of obtaining sensitive or personal data.
The law changed in February 2018 to impose new obligations on organisations which handle ‘personal information’ (PI). The Notifiable Data Breaches scheme is explained here.
Data breaches can have a serious impact, and Australian businesses and individuals must have in place robust cyber-resilience strategies to identify and respond quickly to threats.
Who is caught?
If your organisation is regulated by the Privacy Act, you should be familiar with your obligations under the Notifiable Data Breaches Scheme (NDB Scheme). If you fall victim to a cyber-attack, failure to comply with the NDB Scheme could see you pay large financial penalties and perhaps compensation.
The NDB Scheme potentially applies to all businesses having an annual turnover of $3 million or more. Smaller businesses are also caught if they trade in PI, hold Tax File Number information or are a credit reporting body, health service provider, allied health professional, gym, or weight loss clinic.
What is a data breach?
A data breach occurs when PI held by an entity is disclosed, lost, or accessed by an unauthorised third party. For example:
- Disclosure of an individual’s information to a cyber-criminal or “scammer” as a result of inadequate identity verification procedures.
- Loss or theft of physical devices (laptops, storage devices) or hard copy records which contain sensitive information.
- Inadvertent disclosure of PI (eg. an email mistakenly sent to the wrong address).
- Unauthorised access to personal or sensitive documents by an employee or officer of a business.
Consequences of a data breach
Data breaches can cause significant harm to the person or business being hacked, and also to individuals whose PI is involved in the data breach.
There have been several instances where large numbers of individuals were harmed by a data breach. Typically an unauthorised third party gained illegal access to the client database of a business. Examples include:
- Financial fraud including unauthorised credit card transactions or credit fraud.
- Identity theft causing financial loss or emotional and psychological harm.
- Physical harm or intimidation.
The Notifiable Data Breaches Scheme
The NDB Scheme is in Part IIIC of the Privacy Act. It requires entities to notify both the Office of the Information Commissioner (OAIC) and the affected individuals of certain data breaches.
An “eligible data breach” must be notified ie. where these elements are present:
- Unauthorised access or disclosure of PI has occurred (or, it has been lost and unauthorised access to it is likely to occur).
- Serious harm is likely to be caused to the affected individuals whose PI is hacked.
- The entity has been unable through remedial action to prevent the likely risk of serious harm.
If it is not clear whether the suspected data breach meets the above criteria, an assessment must be conducted to determine the risk of harm to affected individuals.
If the data breach is “eligible”, notification obligations under the NDB Scheme will then be triggered.
Failing to notify the OAIC or affected individuals of an eligible data breach is a breach of the provisions of the Privacy Act and may result in pecuniary penalties (up to $2.1 million for a company, or $420,000 for any other entity) [1].
Preparing a data breach response plan
Data breaches are on the increase. The OAIC keeps quarterly statistics. Last quarter there were 539 notifications, up 5%. Of these, 58% were malicious or criminal attacks, and 38% were attributed to human error.
A fast response to a suspected eligible data breach is critical in limiting the consequent harm. Businesses and individuals must have in place a data breach response plan which enables them to respond quickly and effectively in the event of an attack.
An effective data breach response plan will allow you to:
- Meet your notification obligations under the Privacy Act.
- Limit the harm caused by and the consequences of a data breach.
- Preserve the trust of affected individuals and the public at large.
We have assisted many clients who have suffered actual or suspected data breaches, and helped many others implement response plans. A moderate amount of planning and forethought can save a lot of grief and expense later on. Please contact us for further advice or help.
[1] Privacy Act 1988 (Cth), s 6, s13, s13G and s 80U