Australian Mandatory Data Breach Notification – How the new law affects your business
February 22nd is fast approaching, this is the day that mandatory data breach notification (MDBN) finally becomes law in Australia. However, many organisations don’t understand their obligations under the more stringent requirements. There’s plenty of information circulating that’s adding to the fear, uncertainty and doubt (FUD) of Australian company executives and compliance teams as to what the new laws mean for their business. The problem is, under the new rules, organisations could be exposed to the risk of fines and costly investigations should an incident result in personally identifiable information being misused or misappropriated from their care. There are significant penalties for non-compliance and there is a real risk of reputational damage in the event of a breach. For these reasons business leaders need to understand their obligations and prepare compliance methodologies.
Mandatory Data Breach Notification – The wrong kind of publicity
The nature of the MDBN laws means that, while the intent is to get organisations to better protect the data in their care, anyone aggrieved by that organisation might become a whistle-blower. Even if you have done your due diligence and believe a cyber-attack doesn’t put your data at risk, members of your customer base, disgruntled employees or competitors might take it upon themselves to post about it on social media or tell the local newspaper. If the Office of the Australian Information Commissioner (OAIC) is the last to find out and it turns out to be a legitimate, notifiable personal data breach that the organisation ignored, they will have the full wrath of the OAIC (coupled with a costly investigation and possible fine) to deal with.
Organisations must adopt a cogent and well-considered strategy to deal with incidents, including a plan for how to deal with the press, since this kind of exposure can irreparably damage a business. If you’re one of those that think all publicity is good, whether it’s positive or negative, here are four words that will make you think again – Australian Bureau of Statistics.
Why not download our Personal Data Breach Mitigation 4 Step Best Practice Checklist
Mandatory Data Breach Notification – How to handle a breach
If your organisation is hacked, yet you are unsure as to the extent of the compromise, the first thing to do is kick off the incident management plan and start an investigation. This incident management plan includes containing the breach and following your rehearsed steps for dealing with an attack, including drafting PR statements, communicating with executives and a deeper technical analysis of what happened. Your incident response team will analyse system and application logs, looking for evidence of the attacker’s intrusion into each of your important systems. At this stage, and this is T+0 (i.e. the moment you find out you’ve been breached), you should consider this incident an ‘eligible data breach’ under the MDBN law, of the highest priority and start preparing the official statement (known as a notice) that you will send to the OAIC and the notice you will send to affected individuals. Supporting information to assist the OAIC understand the nature of the breach may also be provided if appropriate.
Mandatory Data Breach Notification – The OAIC’s response
The OAIC may contact you shortly after you give notice to talk through your incident response activities to date to understand how the investigation is unfolding. If they believe you have everything under control, they will likely leave you to it. However, if they do not think you have the situation under control, they may decide to become involved. The OAIC has the power to investigate incidents involving the compromise of personal information. If you’ve tried to mislead or downplay the severity of the incident, they will soon find out and at that stage their approach may become more confrontational. If the OAIC launches a formal Commissioner Initiated Investigation (known as a CII), this will include a deep dive into processes, technology and even personnel security measures in your business, so it can become intrusive and incredibly time consuming. The reality is, however, that the OAIC, like any other central government department, works on a limited budget and has limited staff and resources to conduct investigations of this kind, so higher profile breaches will be given priority, such as when the Red Cross donor database was exposed in October 2016. In a public statement, OAIC has acknowledged that they intend to work on assisting organisations to be compliant with the new privacy legislation rather than punishing organisations for not, so their approach is fundamentally cooperative and encouraging.
Mandatory Data Breach Notification – Consequences of not reporting
The most likely consequence of not reporting an ‘eligible data breach’ is that the OAIC finds out about it through the media or an aggrieved consumer and launches their own investigation. Any decision not to report must follow a proper assessment of whether the incident is notifiable under the new laws. Not reporting should never be simply an accepted default, since it opens the company up to the risk of a hefty fine and the possibility of being named and shamed in the media for trying to cover it up. These outcomes are bad for business, so it’s important that if the decision is made to not report a breach, even if it is because you firmly believe you don’t have to under the new laws, you need it to be signed off as an executive company decision. If you are unsure as to what you should do in any given circumstance, you should ask a lawyer who understands Australia’s privacy legislation, and if possible, someone who specialises in information security matters.
If you have not reported the breach and the OAIC investigates your organisation and finds it at fault – either intentionally or accidentally – they may decide to pursue litigation against the company. Furthermore, your customers may decide to engage a lawyer too, especially where there is a significant breach of personal information, and you may find yourself facing a class action lawsuit.
Mandatory Data Breach Notification – Who needs to notify?
There are a few limited exceptions listed in the new legislation where organisations or agencies are not obliged to notify an otherwise ‘eligible data breach’; primarily law enforcement agencies, and the national security/intelligence community. Additionally, those organisations with an annual turnover less than $3 million (AUD) are not required to comply with the Privacy Act 1988 and so will not have to comply with the new law. Furthermore, if you have taken remedial action that prevents serious harm to your customers, then you are not required to notify.
Be prepared – create an Incident Response Plan
MDBN is coming so you need to be prepared. If your business does not have an incident response plan, you should create one and ensure it’s updated with response steps that include gathering evidence for notifications to the OAIC and a communications plan with customers (those affected by the breach). You should rehearse the plan, so that when something does happen, it is not the first time the process has been tried and tested.
To prevent breaches, you should also consider improving your overall cyber security countermeasures. Auditing and alerting should be core to your operational security capability so that you can detect when a breach occurs. Also, consider rolling out an internal training programme of security awareness so that your staff understand the threats from phishing attempts and compromised web servers. Most breaches still start with phishing emails, so creating a security aware culture should be one of the first things you introduce to change your risk exposure.