Tips
Bec Newman
GDPR and your data's end-of-life
GDPR and your data's end-of-life
Opinion
Bec Newman
GDPR: The lay of the land
GDPR: The lay of the land
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices
Opinion, Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

Legislation

Privacy Amendment (Notifiable Data Breaches) Act 2017: Data, compliance and implications

This is Part 3 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation. Click here to read Part 2: Eligible data breaches.

AdobeStock_107692785 copy.jpeg

In previous posts, we introduced you to the basics of the NDB Act, including what makes a breach ‘eligible’ for reporting under the Act. This week we look at what kind of data the NDB Act will cover, who needs to comply, and the implications this Act will have on Australian digital security in the workplace.

What kind of data does the Act cover?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 applies to all personal information collected and stored by organisations in the course of doing business. Personal information is considered sensitive, or able to cause any type of harm to an individual if it is disclosed without authority. For example, unauthorised disclosure may enable another person or people to commit fraudulent activity resulting in financial crime or identity theft, damage the reputation of an individual or their business, or involve a risk of physical harm.

Some types of information covered by the Act are listed below. Though the list is not exhaustive, it gives an indication of the nature of private or sensitive information, and is a good starting point for companies to understand the wide scope of the NDB Act. The act can cover:

  • Names;
  • Telephone numbers;
  • Postal addresses;
  • Email addresses;
  • Identification, such as drivers licence or passport information;
  • Medical records;
  • Personal opinion statements of a sensitive nature;
  • TFN numbers;
  • Online identifiers such as IP addresses; and
  • Login details for online banking and payment accounts.

Disclosure of any one of these types alone, or several types in one incident, can constitute an eligible breach. A certain number of individuals need not be at risk; the unauthorised access of a single individual’s information can constitute an eligible breach.

Who needs to comply?

The NDB Act will apply to most Australian businesses and government agencies that collect, handle, or store personal information. As an amendment to the existing Privacy Act 1988, the NDB Act will govern any organisations currently operating under that Privacy Act. This includes:

  • businesses and not-for-profit organisations with an annual turnover greater than $3 million;
  • Australian government agencies;
  • health services in the private sector including alternative medicines and fitness institutions;
  • child care centres, private schools, and other private educational institutions; and
  • businesses that sell or purchase personal information in conjunction with credit reporting bodies.

What are the key implications?

The Act will change the way organisations look at digital security, by creating a strong disincentive for businesses to allow a data breach. The new law leaves no room for a breach to occur without a penalty. If a breach occurs, organisations will be obliged to notify the OAIC and the affected individuals, essentially publicising their failure to keep data safe. Public knowledge of a breach can incur damage to reputation, along with financial costs arising from legal aid and efforts to regain customer trust.

If, however, a breach is discovered not to have been reported correctly, the financial costs rise, including legal costs, clean-up, and fines of up to $1.8 million dollars. It follows that the only solution for businesses under the NDB Act is not to allow a breach to occur.

The Act is intended to create a sense of transparency across Australian organisations, and assure Australians that businesses are taking personal digital security seriously. It should encourage organisations to inspect and improve their digital security practices prior to 22nd February 2018 and to maintain best practice for digital security into the future.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

This is Part 2 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation.

AdobeStock_75838140.jpeg

In last week’s post, we introduced you to the basics of the NDB act and what it will mean for digital security in Australia. The new legislation, effective 22nd February 2018, calls for mandatory reporting of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and the individual(s) affected by the breach. This week we discuss what makes an eligible breach ‘eligible’.

What is an eligible data breach?

If you’re familiar with the NDB scheme from our last post, you’ll be acquainted with the phrase ‘eligible data breach’. Under the new legislation, organisations are required to report a data breach if it is considered ‘eligible’. Eligibility depends on the nature of the compromised information and the potential risk that unauthorised disclosure may cause to the individual(s) whose information has been compromised.

An eligible breach occurs when there is unauthorised disclosure of personal information to external entities and the disclosure of information is likely to result in a real risk of serious harm for any of the individuals to whom the information relates.

Events that can constitute an eligible breach could include:

  • lost or stolen information in its hard form (such as in computer hard drives or paper records);
  • improperly destroyed data that is disposed of insecurely;
  • hacked databases;
  • employees accessing information that falls outside their authorisation; or
  • organisations sending data unintentionally to the wrong recipient.

In order for a potential breach to be eligible, it is not necessary for the occurrence of the breach to be proven. If there are reasonable grounds to suspect a breach has occurred, or data has been lost and can’t be retrieved, the breach is considered eligible for notification due to the potential risk of serious harm.

What is ‘serious harm’?

Serious harm is defined by the explanatory memorandum that accompanies the NDB act. It comes in many forms, and can include:

  • financial or economic harm;
  • physical harm;
  • psychological or emotional harm; and/or
  • damage to reputation.

If information has been compromised and could potentially cause any type of harm — to a single individual or to many individuals — it should be reported.

There are many situations in which serious harm can result from the disclosure of personal information, and the potential harm varies according to the information and to the individuals in question. For example, serious harm can result from the disclosure of:

  • financial information, resulting in financial fraud;
  • identity information, resulting in identity theft or fraud;
  • addresses or contact information of certain individuals, resulting in potential physical or emotional harassment and harm;
  • statements made under a confidentiality agreement, resulting in potential reputation damage; or
  • sensitive medical information, resulting in potential reputation damage.

These are only some examples of the situations in which individuals can experience serious harm as the result of a data breach. Under the new legislation, it would be prudent for organisations to ensure they report any breach presenting even a remote risk of serious harm, in order to avoid the harsh penalties that may apply for non-compliance.

When is there a real risk of serious harm?

Assessing if there is a risk of serious harm relies on factors like:

  • the nature and sensitivity of the information that has been/ may have been disclosed;
  • the security measures or encryption still protecting the compromised information;
  • the type of person or people who obtained the information; and
  • the nature of the potential harm that may result from unauthorised disclosure.

If a reasonable person, an objective bystander, would see a probable risk of harm for the individual(s) whose information has been compromised, it is considered that there is real risk of serious harm.

If an organisation has experienced a data breach in which data is lost, stolen, improperly disposed of, or accessed without authority, and the information could carry a real risk of serious harm to an individual or individuals, it is considered an eligible breach and must be reported to the OAIC within 30 days.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

Privacy Amendment (Notifiable Data Breaches) Act 2017: Introduction to the new legislation

This is Part 1 in our new 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018.

AdobeStock_60505744.jpeg

Australians will see changes in digital security practices in 2018 in the face of new privacy protection laws. The Privacy Amendment (Notifiable Data Breaches) Act 2017 ("NDB") is an important new addition to legislation that will change the nature of digital security for Australian businesses, and ultimately for all Australians. The NDB Act is an amendment to the Privacy Act 1988, and introduces mandatory reporting in the case of an eligible data breach.

Under the new law, if a known or suspected data breach involves a real risk of serious harm to one or more individuals, the breach must be reported to the Office of the Australian Information Commissioner (OAIC) and to the affected individual(s).

How will the NDB increase privacy protection?

The NDB scheme is designed to encourage organisations to increase digital security by creating strong disincentives for data holding entities to allow a security breach.

The NDB is therefore a principles-based approach to increasing privacy protection. It functions as a self-regulating system by increasing the potential consequences of weak digital security. Businesses don’t want to publicise data breaches; doing so involves an expensive cleanup and inevitable loss of confidence from customers. However, unreported breaches could now incur penalties up to $1.8 million in fines, as well as negative publicity and legal aid costs.

With organisations soon obliged to report a breach, they will increase digital security in order to avoid one. Under the new law, data holding entities will be inclined to take data security more seriously than ever before.

Who is affected by the NDB?

The NDB Act, as an amendment to the Privacy Act 1988, is applicable to all entities operating under the Privacy Act, including:

  • entities deemed to hold information disclosed to overseas recipients;
  • credit reporting bodies and credit providers;
  • organisations that hold tax file information;
  • government organisations, health providers, and educational institutions; and
  • businesses or not-for-profits with an annual turnover greater than $3 million.

The NDB directly affects organisations, but all Australians stand to benefit from the scheme. Because of the heavy penalties and reputation risk involved, and the wide scope of the NDB in business, Australians can assume that this new digital security legislation will reduce the incidence of data breaches. Additionally, it will promote transparency in privacy protection; it will offer affected individuals the opportunity to mitigate the negative effects of compromised personal data.

What are the key changes to current legislation?

The current Privacy Act leaves data breach notification at the discretion of data holding organisations. A business can decide whether or not it wishes to report data breaches to the OAIC, or to individuals whose personal information has been exposed by a data breach. Often, individuals are not warned when their data is accessed by potentially malicious parties, meaning they may be unable to take preventative action.

When the NDB scheme commences next month, this will change. If an eligible data breach occurs, organisations will be legally obliged to report to the OAIC and to individuals at real risk of serious harm. Not to do so will incur heavy financial penalties and a likely loss of trust from the Australian public and partner organisations.

Under current legislation, there is no time limit within which a breach must be handled. Under the NDB, if an organisation experiences a confirmed breach, or has reasonable grounds to suspect a breach has occurred, it must conduct an expeditious assessment within 30 days.

When does the NDB come into effect?

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the House of Representatives in February 2017. The key amendments will commence on 22nd February 2018. Any organisation that experiences an eligible data breach from this date will be required to follow the reporting procedures of the NDB.

Regulatory bodies and data security experts suggest businesses take immediate steps to safeguard their digital security in preparation for the change. For some tips on how to strengthen your organisation’s digital security, see our post 10 Tips to Secure Your Company’s Data Against Cyber Threats

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

The Uber data security breach and Australia’s new security legislation

What happened?

Popular ride-hailing app Uber is facing scrutiny worldwide after a massive digital security breach and cover-up was revealed last month. The data breach, performed by two external hackers in October 2016, affected 57 million drivers and passengers using Uber.

The company reportedly paid US$100k to silence the hackers responsible for the breach, successfully concealing the incident for over a year.

The hackers accessed sensitive personal information including the names, email addresses, and phone numbers of more than 50 million users, as well as licence numbers of drivers. Uber has offered assurance that no financial information was accessed, but has not disclosed detailed information about the nature of the breach to the media.

With facts about the incident now being rapidly unveiled, Uber faces liability in several jurisdictions worldwide. Public pressure from the US, UK, the Philippines, and Australia is topping off a year of heavy controversy for the business. 

P9060133_3.jpg

What does the present and future backlash look like for Uber?

Uber is facing strong criticism not only for the breach itself, but for the immoral cover-up that followed. Data breaches, and the identity theft that often results, are of worldwide concern. Governments, companies, and members of the public all recognise the need for tighter security and mandatory reporting.

Australia will see new data security legislation come into play in early 2018, with the legislation requiring all digital security breaches be reported to the Office of the Australian Information Commissioner (OAIC). Legislation is also tightening in the EU — from May 2018 the General Data Protection Regulation (GDPR) will also impose stronger penalties for failure to report a data breach. In all but two US states, it is already mandatory to report data breaches that involve personal information.

Though the financial consequences for Uber under current regulation are still unclear, this incident comes on the tail of a bad year for the company. After reports of concealed sexual assault and driver mistreatment, underpaid drivers in NYC, and the contentious move by TfL to remove Uber’s licence to operate in London, Uber’s reputation has taken a strong hit in 2017.

Damaged reputation is just one consequence for companies that have reported — or concealed — serious data breaches like that experienced by Uber. With reports suggesting that 2018 will see the incidence of breaches continuing to rise, companies are recognising the need to tighten current data security in order to avoid the inevitable reputation damage and financial consequences of a breach.

Uber is not the only global scale company facing the pressure after a security breach. Yahoo and Equifax, amoung other big names, have experienced breaches of this nature in the last few years.

What does the new legislation mean for organisations like Uber?

With large global companies experiencing these types of breaches and their consequences, the nature of the reporting action taken by big organisations is likely to change dramatically next year. New laws will be cracking down on reporting practices worldwide, especially in the EU and Australia.

If Uber’s data breach had fallen under Australia’s impending laws, the company could be facing far more serious consequences. From February 2018, fines for companies can include financial penalties of up to $1.8 million as well as investigation by the OAIC, court-enforceable undertakings, and orders for compensation.

The same is true of new EU laws, under which fines will reach 4% of annual global turnover, or €20 million, whichever is greater. In the case of Uber, this could entail upwards of $260 million, on 2016 annual global revenue.

With businesses facing such severe consequences for data breaches, there is no room for error in digital security practices in 2018. Businesses in Australia and around the world should be looking to tighten security at every stage of their process.

What can Australian firms do to prevent digital security breaches?

Breaches in security occur when there is a gap in the system. To ensure security of data requires strict protocol from its collection to its destruction. Of course, companies should first assess whether it is truly necessary for them to hold sensitive data.

If it is necessary, all hard drives should be equipped with safeguards and remain updated, and staff should be educated on best practice cyber security. Alarms systems should be put in place to alert the company in the case of a breach. After it is no longer needed, data should be completely, securely, and safely destroyed.

Find a full list of our top 10 ways to avoid a data breach here.

With end-of-life data one of the biggest gaps in current practice Australia wide, we want to assure Australian businesses that there is a safe, secure, and ethical way to deal with data and avoid heavy fines and maintain customer trust.