Security alert: mandatory data breach laws

This is a security alert that should not be ignored!

Mandatory data breach notification laws will soon commence in Australia^[1]. The new laws will affect federal government agencies and organisations (with an annual turnover of more than $3 million), who will be required to notify an ‘eligible data breach’ to:

the Australian Information Commissioner; and
affected individuals.

Data breach triggers

An ‘eligible data breach’ arises where:

there has been unauthorised access to, or unauthorised disclosure of, personal information about 1 or more individuals; and
there is a likely risk of serious harm to such individual(s).

‘Serious harm’ may include:

serious physical, psychological, emotional, economic and financial harm;
serious harm to reputation; and
serious harm that a reasonable person would identify as a possible outcome of the data breach^[2].

Sink or swim – you decide

If there are reasonable grounds to suspect an eligible data breach, an organisation must:

carry out a reasonable and expeditious assessment as to whether an eligible data breach has occurred; and
take reasonable steps to ensure the assessment is completed within 30 days after becoming aware.

If an eligible data breach has occurred, the organisation must, as soon as practicable, notify the Australian Information Commissioner and the affected individuals.

A second chance

If there is an eligible data breach, the organisation should take remedial action before the unauthorised access or disclosure of personal information results in serious harm to the affected individuals. If so, then it will not be required to notify the affected individuals. That’s a handy ‘get out of jail card’.

Failure to comply – ouch

Failure to comply with the notification requirements under the new laws could mean:

monetary penalties of up to $1.8 million for organisations; and
$360,000 for individuals.

Top 4 compliance tips

Organisations should now take the following steps in pursuit of compliance with the new laws:

1. Update existing privacy policy.

2. Create or update the data breach response plan, which should:

a. appoint employees and external experts (eg IT providers and lawyers) responsible for managing data breaches; and
b. outline procedures for identifying, investigating and managing data breaches and notifications.

3. Train staff to ensure they are aware of, and can respond to, data breaches.

4. Review existing contracts with services providers to ensure compliance with the new laws.

If you need help complying with the new data breach notification laws before they come into effect, you should seek advice from Bespoke’s privacy lawyers.

^[1] Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).
^[2] Explanatory Memorandum to Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).

^{Privacy: a new broom sweeps across borders}
^{Counting the cost of outsourcing (part 1)}
^{Counting the cost of outsourcing (part 2)}