In recent times, media reports detailing suspected data security breaches across many Australian business sectors, as well as the prevalence of the “dark web” as a marketplace for personal information, have rattled both business owners and customers alike.
According to the Office of the Australian Information Commissioner, 107 voluntary data breach notifications were received from 2015-16, with the highest number of notifications coming from the Australian Government, finance (including superannuation), health service providers, retail and online services sectors.
While SMEs in these and other sectors already face the threat of data attacks, the move to mandatory reporting laws will mean even more is at stake for those that do fall victim.
Come February 2018, the Privacy Act 1988 (Cth) will impose mandatory reporting requirements on businesses where personal information of their customers is “breached” (meaning that the information has been accessed by or disclosed to an unauthorised person, including if information has been lost or stolen).
SMEs could be hit hardest by the new reporting rules, as they may not have, think they cannot afford, or be unaware of, what is needed to keep personal information safe. SMEs are also at greatest risk of insolvency should they face a penalty under the Act. A large company could shrug off the costs while an SME could be pushed to the wall.
Generally speaking, businesses need to comply with the Act if they have a turnover above $3 million, provide a health service and hold personal information, are a contracted service provider under a Commonwealth Government contract, receive Commonwealth Government funding, are a credit reporting body, or buy and sell personal information. Not all SMEs meet these criteria, but the laws are considered best practice and it is recommended all businesses align their practices with the Act.
Under the changes to the Act, businesses suspecting a data breach must investigate the suspected breach within 30 days of it coming to their attention to determine whether the breach is likely to cause serious harm (physical, financial, reputational, psychological etc.) to any individual. Sometimes, a breach can be remedied before it has the possibility of causing serious harm. Because of this, SMEs should act upon a breach immediately.
If there is a data security breach with the potential to cause serious harm, businesses must notify the Australian Information Commissioner as well as any people possibly affected. Penalties for non-compliance can be up to $420,000 for individuals and $2.1 million for a company.
Here are four tips for businesses:
1. Review your data collection, use and disclosure practices/policies to ensure they meet the requirements of the Privacy Act.
2. Put systems in place to expediently assess suspected and actual data security breaches, investigate the extent of the breach, and to then take action as required by the Act.
3. Put procedures in place to:
a. Assess, within 30 days of suspecting a breach, whether a reasonable person is likely to conclude that the breach is likely to cause serious harm to any individual; and
b. If you conclude that a breach is likely to cause serious harm:
b.i. Prepare a statement setting out your business’ identity and contact details, a description of the breach, the kind of information concerned, and the steps you recommend the individual should take in response to the breach; and
b.ii. Take whatever steps are reasonable in the circumstances to notify the affected individuals and the Australian Information Commissioner of the statement as soon as possible.
4. Train staff on data management procedures and data breach procedures. Ensure any policies and procedures are written down, communicated to staff and easily accessible.
Emma Simpson, Senior Associate, Rigby Cooke Lawyers
