[BreachExchange] Australia: Recent updates announced to the notifiable data breach regime

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 3 20:12:39 EDT 2017


https://www.lexology.com/library/detail.aspx?g=1c50eb70-544a-41ae-958e-
d5689fb8d257

The Office of the Australian Information Commissioner (the OAIC) has
released further draft guidance on the notifiable data breach regime in the
lead up to the commencement of the new laws on 22 February 2018.

Late last week, the OAIC published further information on the information
that must be provided to the Information Commissioner after a notifiable
data breach occurs. In particular, the OAIC released the following
documents:

1. draft guidance on what information should be included when notifying the
Information Commissioner of an eligible data breach (which can be found
here)

2. a draft Notifiable Data Breach Statement in word; and

3. online draft Notifiable Data Breach Statement smart form (which can be
found here)

The draft notifiable Data Breach Statement is divided into two parts.

- Part One contains the information that an organisation must provide to
the OAIC as well as to individuals when notifying that an eligible data
breach has occurred. This includes information such as the description of
the breach, the types of information involved and what steps are
recommended that the affected individual takes to reduce the risk of
experiencing serious harm as a result of the breach.
- Part Two of the statement is optional, and contains information that the
OAIC would like to receive to assist in understanding the eligible data
breach. This information does not need to be provided to individuals when
notifying of an eligible data breach. The information requested in Part Two
of the statement relates to the details of a breach such as when it
occurred, when it was discovered, its primary cause and how many people
were affected. While providing this information is described as being
optional the OAIC says that it may contact parties and request further
details where Part Two of the statement is not completed.

In our view, key issues for businesses to consider from the OAIC's guidance
and draft statement are that:

- In order to provide the required Data Breach Statement organisations will
need to have a strong understanding of the specific circumstances of the
breach including the types of records compromised, whether other
organisations may be impacted and how the underlying security breach event
occurred. Organisations may struggle to provide these details unless they
quickly engage experts to help manage their incident response.
- The Data Breach Statement includes questions regarding how organisations
intend to notify individuals who are likely to be at risk of serious harm
due to the breach. Providing this information will require companies to
quickly assess what notification provider they intend to engage, and how
they propose to manage communication with the individuals who may be
impacted by the security event.
- The Data Breach Statement also seeks details about the actions companies
intend to take to assist individuals whose personal information was
compromised by the data breach. This step will likely require companies to
quickly assess the risks and nature of harm individuals may be exposed to
and to have sufficient resources available so that they can actively engage
with and assist individuals who are notified.

The depth of information which must be provided to the OAIC highlights how
important it is to be fully prepared for the notifiable data breach regime.
Organisations should be preparing and testing their data breach response
plan and ensuring that it contains detailed policies and systems to ensure
prompt notification to the OAIC and affected individuals after an eligible
data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171003/932cb630/attachment.html>


More information about the BreachExchange mailing list