Last week, a new piece of legislation slipped almost unnoticed into the Australian business world, barely causing a ripple of consternation in the small business pool of day to day busyness.
Just another piece of legislation, but with huge potential consequences. When the Act kicks into effect somewhere in the next 12 months, Australia will have some of the strictest data breach disclosure requirements in the world.
Small businesses need to get across what this act means and start putting in place procedures, risk mitigation strategies and support teams to help manage their obligations under the Act.
Why is this an issue?
People’s personal information is gold. Hackers and other nefarious types can sell or use this personal information to access credit, blackmail or set up phishing schemes to fleece unsuspecting people from their money. People have a right to know if their private information has been compromised, so they can take appropriate mitigation actions.
Australia has had a voluntary reporting scheme over past years that was not widely used. Many small businesses were simply not aware that they had any role to play when their information was compromised, simply fixing the technical problem and moving on.
For example, I have worked with two small financial planning / mortgage businesses in the past year whose websites had been hacked. Both had client databases attached to their websites, and it was reasonable to assume that all the confidential data had been accessed by the hackers. Neither had notified the OIAC or their clients whose data had potentially been compromised.
It is cases like these that the new Act is working to address.
Quick Intro to The Privacy Amendment (Notifiable Data Breaches) Act
The new Act provides a detailed compulsory reporting requirement where there is unauthorised access, disclosure or loss of personal information that could be considered likely to result in serious harm to the people to whom the data relates.
Translated into English:
- If your business or website is hacked or suffers a crypto locker type of virus, you are legally obliged to report it.
- If you lose a laptop or phone where people can access confidential details of your client, you are legally obliged to report it.
- If you lose a paper file with confidential client details, or if files are stolen from insecure garbage bins or recycling bins you are legally obliged to report it.
- If you dispose of an external backup drive or computer without correctly wiping it of confidential client details, you are legally obliged to report it.
- You accidentally send the wrong letter or email to someone with another client’s details, you are legally obliged to report it.
What is serious harm?
One of the key terms explored in the Act is what is meant by serious harm. It is quite broadly defined and could include serious physical, psychological, emotional, economic and financial harm, as well as a serious harm to someone’s reputation.
Who is covered by the Act?
The Act covers businesses currently covered by the Privacy Act, plus a few extras.
- Anyone who is currently covered by the Privacy Act (i.e. federal government agencies and businesses and not for profits with a turnover of over $3 million).
- Private sector health providers and people who handle confidential medical information or records. This is a broad reaching category includes alternative health practitioners and healers, gyms, personal trainers, dieticians, chiropractors, You need to seek clarification from your lawyer if you are not sure if this covers you. Read more about who is covered under the definition of providing a health service.
- Child care centres, and educational schools and colleges
- Businesses that sell or buy personal information such as direct marketing businesses
- Credit reporting bodies
- People who handle confidential information such as tax file numbers (such as bookkeepers, accountants and financial planners)
Who do you have to notify?
If you have had, or suspect you may have had a potential breach, as soon as possible after you become aware of the breach, you are legally required to notify the people whose confidential information may have been compromised via your normal means of communicating with your clients, or via phone, email or letter. This can be done individually or collectively depending on the situation.
As a minimum, your notification needs to contain: a description of the breach; a list of the types of personal information that were disclosed; recommendations about the steps that individuals should take in response to the serious data breach; and contact information for affected individuals to obtain more information and assistance. I would also include details of what you are doing about the breach, how you will stop it happening again and the steps you are taking to support people affected by the breach.
The type of mitigation advice that may be given includes recommending people change their passwords, monitor their credit reports and cancel credit cards.
You also need to notify the Office of the Australian Information Commissioner of the breach and your response.
What are the penalties?
The penalties for not complying are severe. Up to $1.8 million in fines for organisations.
ASIC is also on the Case
In case OAIC is not enough, ASIC requires companies to address cyber risks as part of their legal and compliance obligations under the Corporations Act. They also require any risks to be disclosed to potential investors and as part of the annual directors’ report if the risk could affect financial performance.
Action Items: What do you need to do now?
- If you are covered by the new Act, regularly check in with the Australian Information Commissioner website https://www.oaic.gov.au/ and the ASIC website http://asic.gov.au/ to stay across any new guidelines or practice notes issued during this transition period.
- Consider getting cyber insurance if you don’t already have it to help mitigate costs of any breach in terms of IT support, notification of clients, credit report monitoring for clients (if offered), legal fees, and assistance with the OAIC notification.
- Stay in touch with your professional association to see if they will issue any industry specific practice notes or guidelines.
- Conduct a thorough IT audit and review of all IT systems within your organisation to reduce risks of cyber-attack, and to enhance your data security.
- Review your policies and procedures in relation to privacy, file storage and file disposal. Ensure you run your policies past your specialist IT Lawyer.
- Develop an emergency cyber breach response plan for your organisation including details of who is notified, when they are notified and a thorough communications strategy including draft notifications.
- Keep your websites fully maintained, with premium level security in place at all times. Read more about ways to reduce your WordPress website from being hacked.