[BreachExchange] Count down to the Introduction of the Mandatory Data Breach Notification Obligations

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=921bab46-6579-4763-9bf2-
abe3dc76032f

Snapshot of new obligations

A mandatory data breach notification regime under the new Privacy Amendment
(Notifiable Data Breaches) Act 2017 will come into force from 22 February
2018, under which various entities will be required to assess data breaches
and notify individuals and the Commissioner of any such breaches in certain
circumstances.

Who will be affected?

Any entity which is currently, or will be, subject to the Privacy Act 1998
will be required to comply with these notification obligations. This
broadly includes entities which:

- operate a business with an annual turnover of more than $3,000,000;
- provide a health service and hold health information other than in an
employee record;
- disclose personal information about another individual for a benefit,
service or advantage, or provide a benefit, service or advantage to collect
personal information about another individual from anyone else, except in
certain circumstances;
- are contracted service providers for a Commonwealth contract;
- are credit reporting bodies which hold credit reporting information;
- are credit providers which hold credit eligibility information; or
- are file number recipients which hold tax file number information.

What do the new obligations relate to?

The new obligations focus on the steps that a relevant entity is required
to take in respect of an ‘eligible data breach’.

Broadly, there is an ‘eligible data breach’ where there is unauthorised
access to, unauthorised disclosure of, or loss of, information held, where
such access, disclosure or loss is likely to result in ‘serious harm’ to
any of the individuals to whom the information relates.

‘Serious harm’ may include serious physical, psychological, or emotional
harm, in addition to economic, reputational and financial harm.

When assessing whether a data breach is likely to result in ‘serious harm’,
consideration should be given to:

- the kinds of information kept and the sensitivity of such information;
- whether the information is protected by one or more security measures
and, if so, the likelihood that any of those security measures could be
overcome (for example, is the information encrypted or otherwise
protected?);
- the likelihood that the persons who could obtain this information would
have the intention of causing harm to any of the individuals affected (for
example, is the person a cyber criminal who has hacked the system or an
employee who has accessed the information by accident?);
- the likelihood that malicious users who obtain the information would have
the technology or methodology to circumvent the security mechanisms and the
nature of the harm (for example, the encryption key for the encrypted
information).

What to do if you suspect a breach

If you suspect that there is an eligible data breach but do not have
reasonable grounds to believe there has in fact been a breach, the first
step to take is to assess the suspected breach. This involves carrying out
a reasonable and expeditious assessment of whether there are reasonable
grounds to believe that there has in fact been an eligible data breach, and
taking all reasonable steps to complete the assessment within 30 days of
suspecting a breach.

What to do if you become aware of a breach

Notify the Commissioner

If there are reasonable grounds to believe that there has been an eligible
data breach, then you must, as soon as practicable, provide a statement to
the Commissioner setting out:

- the entity’s identity and contact details; and
- a description of the eligible data breach; and
- the kinds of information concerned in the eligible data breach; and
- recommendations about the steps that individuals should take in response
to the eligible data breach (Notification Statement).

If there are reasonable grounds to believe that the eligible data breach
was also an eligible data breach of another entity, the Notification
Statement may also set out the identity and contact details of the other
entity.

If the Commissioner is aware that there are reasonable grounds to believe
that there has been an eligible data breach, then the Commissioner has the
power to direct that a Notification Statement be prepared.

Notify individuals

After providing a Notification Statement to the Commissioner, you must also
notify the individuals or the public in one of three ways, as soon as
practicable:

- if practicable, take reasonable steps to notify the contents of the
Notification Statement to each individual to whom the relevant information
relates;
- if practicable, take reasonable steps to notify the contents of the
Notification Statement to each of the individuals who are at risk from the
eligible data breach; or
- if neither of the above two options are practicable, publish a copy of
the Notification Statement on your website, and take reasonable steps to
publicise the contents of the Notification Statement.

You may notify individuals in the first two options by using the normal
method of communication for those individuals, including by email. If there
is no normal method of communication, then notification can be made by post.

What are the exceptions to notification?

There are a number of exceptions to the notification obligations which
apply in certain circumstances. Broadly, these include:

- where remedial action is taken in relation to the access, disclosure or
loss of information and before any serious harm has resulted, and as a
result of such action, a reasonable person would conclude that the access,
disclosure or loss would not be likely to result in serious harm to any of
the individuals;
- where an eligible data breach is an eligible data breach of a number of
other entities and one entity has complied with the notification
obligations;
- where the eligible data breach has been, or is required to be, notified
under the My Health Records Act 2012;
- where the Commissioner makes a declaration in the public interest; and
- where notification may prejudice enforcement related activities or is
inconsistent with various secrecy provisions.

What you should do to prepare for these notification obligations

Given the impending commencement of these notification obligations,
consideration should be given to taking steps now to review your internal
systems and prepare for these changes. The steps that you should be taking
now include:

- preparing, reviewing, and implementing your cyber security action plan
and breach response plan;
- reviewing and updating your contracts to deal with these notification
obligations;
- updating your corporate governance plan and internal policies;
- understanding your obligations and the steps to take to comply with these
notification obligations;
- preparing draft notification statements in preparation for any potential
breaches to control the message provided to the public; and
- educating and training employees, management and board members to
understand what steps to take in the event of a data breach.

Seek assistance from the experts

Most entities do not have the specific skills, knowledge, experience or
expertise to put in place appropriate cyber security measures and
protections on their own. It is therefore crucial to engage cyber security
experts who are skilled and experienced to assist in managing and reducing
the impact of cyber security risks, both from a legal and an IT security
perspective.

Legal experts who specialise in cyber security can assist by working with
IT security experts to raise awareness and educate the board, assist
organisations to understand their legal, regulatory and contractual
obligations, prepare a cyber security action plan, establish good corporate
governance procedures, prepare appropriate policies, provide training, and
review contracts and insurance policies to ensure you are ready for these
new changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171205/738f92ab/attachment.html>