In case you missed it, this week marks the day Australia's new Notifiable Data Breaches scheme comes into effect. This is our quick "cheat sheet" of what you must know.
Who needs to comply
If you fall into the category of organisations that needs to comply with the Privacy Act, then the Notifiable Data Breaches (NDB) applies to you.
That means if you're a -
- Australian Government agency
- Business or not-for-profit organisation with an annual turnover of $3 million or more
- credit reporting body
- health service provider
- TFN recipient (someone holding a Tax File Number in your systems)
you need to comply with the NDB scheme.
What sorts of breaches must be reported
If you're covered under the NDB scheme, you must report any breach of personal information that is "likely to result in serious harm".
If you think "serious harm" is a bit nebulous, this advice from TAL [PDF Link] says serious harm includes:
- physical harm
- financial/economic harm
- emotional harm (e.g. embarrassment and humiliation)
- psychological harm (e.g. marginalisation and bullying)
- reputation harm
Remember, this is about the leak of PII. And even if someone's name is not specifically associated with the data that is leaked, if the leaked data can be used to identify and seriously harm someone then it needs to be reported.
The NDB scheme does not apply to the loss of intellectual property if that is stolen in a breach. That's already covered under separate criminal laws. The point of the NDB scheme is not to protect the company that was breached but to protect the people whose personal information has been released without their authority.
Who do you report them to and what do you tell them?
Breaches need to be reported to the Office of the Australian Information Commissioner (OAIC).
To make life a little easier, they have an online form for you to fill in. And there's also a guide so you can start to get some processes in place before an incident occurs so you're not scrambling when the faecal matter hits the rotating blades.
As well as identifying your company, you need to provide details about the definable breach and specifically detail what data was released in the incident. They even have a few checkboxes to make that job easier.
What timelines do I need to follow
The OAIC's advice is that once a breach that is covered under the NDB scheme is detected, that the assessment is carried out in a "reasonable and expeditious" timeframe. While that sounds a little fluffy, the expected timing is no more than 30 days. If you need more time to investigate, you can notify the OAIC to let them know you think there's been a breach and ask for more time to investigate.
It is important that any affected parties are notified as soon as possible. But that doesn't necessarily mean shouting the news from the rooftops. For example, if the data breach relates to a piece of malware infecting a retailer website through an ad running a malicious script then only customers who visited the site and whose data was affected need to be notified.
What if I don't tell?
Admitting a data breach is never fun. But if you don't disclose a breach and it comes out later - as recently happened to Uber and, a few years ago to local retailer Catch of the Day, then there are penalties.
Penalties for not notifying affected parties and the OAIC of a notifiable breach include fines of $360,000 for individuals and $1.8 million for organisations.
It's also important to note that companies that are repeatedly breached don't take steps to remedy issues and harden their security can be penalised even if they do notify as per the obligations. The new laws are about improving standards.
What should I do now?
If you're not already prepared for the NDB scheme, the best place to start is understanding what data you have that could be covered by the NDB scheme in the event of a breach.
Then ensure you have procedures in place for contacting all those potentially affected parties.
Review your data security policies, procedures and systems to ensure you're protecting the data as well as you reasonably can. Credit card details in an unprotected spreadsheet is not going to cut it!
Rehearse your processes for disclosing and reporting a notifiable breach and have a communications plan in place for letting customers and the public know what happened.