'Notifiable Data Breaches'. A term every business should understand from 22 February 2018
Until now, it has been left up to the company to decide whether it will notify those affected by data breach, but all that is about to change. The passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 means that a new Notifiable Data Breaches Scheme is about to be introduced by the Office of the Australian Information Commissioner (OAIC).
From 22 February 2018, all qualifying business entities must report a Notifiable Data Breach to the OAIC within 30 days of the breach occurring. They must also notify any third parties who are likely to be harmed by the breach and advise them of what action they should take.
Qualifying entities include any businesses or organizations that are currently subject to the Privacy Act. This includes many government agencies, organizations with an annual turnover greater than $3 million, credit providers, credit reporting bodies, holders of tax file numbers (ie, accountants) and any businesses that collect sensitive personal information (ie, health service providers, child care centers, GPs, pharmacies etc).
What is a Notifiable Data Breach?
A Notifiable Data Breach is a breach that occurs when personal information is lost, accessed or disclosed without authorisation and is likely to cause serious harm to someone as a result.
A data breach is said to occur in the following situations:
- There is unauthorized access, disclosure or loss of personal information.
- It is likely to result in serious harm to one or more people.
- Remedial action has failed to prevent the risk of serious harm.
Notifiable Data Breach
Examples include a company server containing personal information being hacked, an employee disclosing personal information without authorization, a mobile device containing personal information being lost or stolen.
Examples might include
- Physical harm
- Mental harm
- Financial harm
- Reputational harm.
Examples include failing to prevent the risk of that harm occurring would be if someone leaves a business laptop containing personal information on a train and later attempts to wipe the laptop’s hard drive remotely using data eraser software are unsuccessful.
What will this mean for business?
The implications for businesses now being required to report Notifiable Data Breaches will include the following:
- Potential fines of up to $360,000 for individuals and $1.8 million for organizations who fail to report breaches.
- The urgent need for an effective risk management plan to handle any potential data breaches.
- The urgent need for cyber liability insurance to protect the business from liability.
An effective risk management plan would include identifying personal information at risk and increasing its protection by upgrading security and policies as well as having sound procedures for responding to a breach and minimizing its impact.
How can insurance help?
The introduction of the Notifiable Data Breaches Scheme is likely to see a sharp increase in the number of businesses seeking to protect themselves from liability with cyber insurance.
A good cyber insurance policy will cover these main areas of risk:
- Technology professional services. This covers your liability for committing an error while providing technology services to others.
- Customer support and reputational expenses. This covers the cost of notifying those affected by a breach, investigating the breach and repairing the reputational damage.
- Multimedia liability. This covers legal costs and penalties awarded for online breach of copyright.
- Business interruption/loss of income. This covers losses incurred while being unable to do business because of a breach.
- Security and privacy liability. This covers legal defense costs and penalties awarded as a result of a breach.
- Cyber extortion. This covers the forensic costs and ransom payments associated with a cyber-extortion attack.
As well as financial protection, some cyber insurance policies even provide hands-on assistance in the form of access to an incident response team. This is a team of specialists who can provide help with reporting a breach and contacting affected parties as well as investigating and resolving data security issues.