NDB one month on: now what?

The new Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018. Previously, disclosure of a breach was voluntary, while this change makes it mandatory for companies operating in Australia to notify authorities of a serious data breach. If companies fail to follow the new regulations, they may face aggressive financial penalties.

Who does this affect?

The legislation affects those entities bound by the Privacy Act 1988; examples include Australian companies with an annual turnover of AU$3 million, as well as federal government agencies, and organisations that hold certain types of data. It also includes any foreign companies with a presence in Australia.

What does the legislation require companies to do?

The ultimate requirement is a disclosure of any eligible breach to the Office of the Australian Information Commissioner (OAIC) as soon as practicable. This, while straightforward, is harder to interpret what is an eligible breach in practice.

• What data: The definition of the data covered is nuanced, but common examples are: name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

• What is a serious data breach: A serious data breach is defined as one that results in a “real risk of serious harm” to an individual whose data has been breached. Harm can refer to physical, psychological, emotional, reputational, economic or financial effects.

• When to notify: The current language is open to interpretation, stating it is 30 days from the day a company becomes aware of a potential eligible breach. Meaning that the clock for the 30 day assessment period is not the day you have confirmed the breach but rather the day you are aware a breach may have been possible.

• What else needs to be included in the OAIC disclosure: Companies are not just obligated to define the breach in terms of what happened and what was potentially compromised, but also to explain what proactive work they are going to recommend or provide to remediate the situation for the impacted individuals. This can end up being the most complicated piece for a company to define.

What to say to the individuals: The company must also disclose to the affected individuals, providing similar information as that in the OAIC disclosure. Figuring out how to contact and communicate with the individuals can be a time-consuming process and, if not practicable on an individual basis, can be done via a breach notification form on the website.

What should companies be doing to prepare?

• Companies need to understand the legislation’s requirements from legal, technical and security perspectives and then implement appropriate governance structures to ensure various functions are aware of their role in mitigating the risk of an incident and responding when one occurs.

• Companies should be assessing their response strategy should an incident occur. This involves developing a plan, which will include understanding internal capabilities and the external support that may be required. It is worth noting the Act specifically states that having a Data Breach response plan in place will assist in meeting the obligations.

• Companies should not assume compliance with the bill automatically implies compliance with international legislation, such as the GDPR in Europe, and should ensure any international data transfers remain compatible with national and regional legislation.

• Companies should review their monitoring and reporting processes, as part of implementing a wider defence-in-depthcyber security strategy, to decrease the likelihood their systems will be compromised and to alert them when potential breaches occur, given that the average breach takes months to detect.

“Control Risks are working with clients helping them develop frameworks and structures to allow them to effectively respond in the event of a data breach. This includes understanding and mapping the data which is subject to this legislation; developing and reviewing response plans; and running exercises to test the plans and the team. The last thing you want your senior executives to be doing in a crisis is running around and scrambling to respond to a complex issue such as this, particularly because these incidents are now being played out in public.” says Carla Liedtke, Director, Control Risks.