New mandatory data breach notification requirements: what makes an "eligible breach" and what you should do if your business is bound by the Privacy Act 1988
On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect.
Under the new requirements, entities that are bound by the Privacy Act 1988 (Privacy Act), known as "APP entities", will be obliged to notify the Privacy Commissioner and affected customers of any "eligible data breach" as soon as practicable after becoming aware of the occurrence. Where an APP entity merely suspects that its data has been breached, it will have 30 days to conduct an investigation before it must report.
The Commissioner has released an updated guidance: *Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).
In this eBulletin we look at what makes an "eligible breach" and what you should do if your business is bound by the Privacy Act.
A "data breach" occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure, or other misuse or interference. A data breach is an "eligible data breach" where "a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure".
The Explanatory Memorandum to the Bill states that "likely" means "more probable than not", and that the "serious harm" can extend to "serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation".
There are four key steps that an APP entity should take in response to an eligible data breach. These are:
- contain the breach and conduct a preliminary assessment;
- evaluate the risks associated with the breach;
- notify the Privacy Commissioner and affected individuals; and
- prevent future breaches.
A notification of an eligible data breach must:
- identify the entity and provide up-to-date contact details;
- provide a description of the data breach;
- detail the information that was subject to the breach; and
- make recommendations about the steps that individuals should take in light of the breach.
Where it is impracticable to notify individual customers of an eligible data breach, an entity must publish the above details on its website, and take reasonable steps to publicise the details.
As mentioned above, the affected individuals should be notified as soon as reasonably possible after the entity becomes aware, or ought reasonably to have become aware, of the breach. If an assessment is necessary to determine whether an eligible data breach has occurred, a maximum time frame of 30 days is allowed under the new requirements in which the entity must take all reasonable steps to complete the assessment of the possible breach. However, the Explanatory Memorandum explains that this 30-day period is not a hard deadline, as in some instances it may not be possible to complete the assessment due to complexities or the nature of the breach.
Failure to comply with the new breach notification laws constitutes an interference with the privacy of an individual under the Privacy Act. This triggers the powers of the Privacy Commissioner to investigate, make determinations and provide remedies for non-compliance with the Privacy Act. The Commissioner can instigate a range of consequences from public apologies, compensation payments and, for serious breaches or repeat offenders, civil penalties. Civil penalties are $420,000 for individuals and $2.1 million for body corporates.
APP entities should develop processes for detecting, containing and managing data breaches, including a detailed data breach response plan. In addition, APP entities should consider whether cyber insurance policies can assist with reducing the risk associated with a cyber incident. For APP entities that already have cyber insurance in place, we recommend that they ensure they are familiar with any conditions of their policy that dictate the steps they should take in response to a covered event. Acting otherwise than in accordance with the policy terms may entitle the insurer to reduce amounts payable under the policy to the extent the insurer's interests have been prejudiced.
The Commissioner has released an updated guidance: Data breach preparation and response —[ ](http://The%20Commissioner has released an updated guidance Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).) A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.