Data breaches are commonplace in an increasingly digital world. New laws are set to come into effect this month that will require thousands of Australian companies to notify individuals and the Government if they believe a data breach has occurred within their IT systems causing personal information to be compromised.

Recent high profile data breaches include Uber's debacle with the personal information of reportedly 57 million Uber customers and drivers stolen along with Uber's failure to disclose this massive breach for over a year, and the 2016 admission by the Red Cross that the personal data of over half a million Australian blood donors may have been compromised. These new laws are overdue and much needed to equip individuals with greater certainty in relation to the security of their personal information.

What is it?

Australia's new mandatory data breach reporting laws come into effect on 22 February 2018. Known as the Notifiable Data Breaches (NDB) scheme, the new legislation will be contained within Part IIIC of the Privacy Act 1988 and largely mirror similar laws introduced in other countries including the USA.

Who does it apply to?

Any agency or organisation already subject to the Privacy Act (known as an APP entity). This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of at least $3 million, health service providers and more. Generally small business operators (including sole traders and unincorporated associations) with an annual turnover under $3 million will not be subject to the NDB scheme's obligations. For more information click here.

What are the new obligations?

If the organisation incurs an "eligible data breach", within 30 days it must notify individuals whose personal information is likely to result in serious harm due to the breach. The notification must include recommendations about the steps individuals should take in response to the breach. The organisation must also alert the Australian Information Commissioner of an eligible data breach. This can be done through an online form, the Notifiable Data Breach statement, and here you will find what to include in the statement.

An eligible data breach is one in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is "likely to result in serious harm to any of the individuals to whom the information relates". Examples may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person. The scheme is not retrospective so if the breach occurred prior to 22 February 2018, even if it is discovered after this date, then it is not considered an eligible data breach for the purposes of this scheme.

The legislation distinguishes between notifiable and non-notifiable breaches. If an organisation can show that it has taken appropriate steps to mitigate the breach, then notification is not required.

What if I fail to report?

The consequences are potentially significant with a business that fails to report an eligible breach facing penalties of up to $360,000 for individuals and $1.8 million for organisations. For those affected, the release of personal names, email addresses and phone numbers may leave them susceptible to phishing attacks. Information such as driver's licence numbers and bank account details could lead to fraud, identity theft and money laundering.

How often do data breaches occur?

Data breaches are frequent and have in the past often been covered up with those most effected having little to no knowledge that their personal information has been compromised.

In 2017 it was reported that more than 1 in 10 Australians potentially had personal information stolen in a security breach that ride-sharing company Uber allegedly covered up for over a year. It was revealed by Uber that the personal information of a staggering 57 million customers and drivers (including names, email addresses and mobile phone numbers) had been compromised in a data theft and the company paid US$100,000 to the perpetrators to delete the stolen data. It was not until November 2017 that Uber notified the Privacy Commissioner. There was a distinct failure to notify affected individuals and regulators.

Had Australia's new mandatory data breach reporting laws been in effect, Uber would have been penalised for their failure to contact victims and report the breach to the Australian Information Commissioner.

How can I prepare?

  1. Firstly, determine whether your agency or organisation is subject to the NDB scheme.
  2. Check out the Information Commissioner's Guide to securing personal information. Be aware of how personal information is stored and managed.
  3. Have in place a data breach response plan. The Information Commissioner has an excellent guide to help prepare such a plan.
  4. Seek legal advice at any step along the way to ensure that you are fully aware of your obligations, ensuring the safety of staff and customers, and have in place procedures and protocols should a data breach occur.

Useful Links

Legislation: Privacy Amendment (Notifiable Data Breaches) Act 2017

Australian Information Commissioner's website about the Notifiable Data Breaches Scheme

Uber CEO Dara Khosrowshahi's blog post 21 November 2017

Red Cross Blood Service admits to personal data breach affecting half a million donors – ABC News 28 October 2016

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.