From 22 February 2018, mandatory data breach notification will apply to any individual or organisation regulated by the Privacy Act 1988 (Cth). This will affect financial services businesses and foreign financial service providers with an Australian link and a continued presence in Australia.
Under the new law, if a financial services business is the subject of an Eligible Data Breach then it must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in “serious harm to any individuals to whom the information relates”.
Prior to the new law, there was no requirement to notify an individual who may be affected by a data breach resulting from misuse, interference and loss of personal information.
The key objective of the data breach notification requirement is to permit individuals, whose personal information had been compromised in a data breach, to take remedial steps to lessen the adverse impact arising from the breach.
Small business operators including a small financial services business with an annual turnover of less than $3 million continue to be exempt from the data breach notification requirement under the Privacy Act.
How will it impact a financial services business?
In the event of an “eligible data breach”, a financial service provider must notify the OAIC within 30 days if it has reasonable grounds to believe that an eligible data breach has occurred.
For a “data breach” to give rise to an eligible data breach, a reasonable person must conclude that:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure of personal information; and
- the business has not been able to prevent the likely risk of serious harm with any remedial action.
‘Serious harm’ is not defined in the Privacy Act. However, in the context of a data breach, in its guidance notice the OAIC, indicates that “serious harm” to an individual may include serious physical, psychological, emotional, financial, or reputational harm. In assessing whether ‘serious harm’ is likely to occur, the organisation should have regard to:
- the kind of information and the sensitivity of the information.
- whether the information is protected by any security measures and the likelihood that any of those security measures could be overcome.
- the kinds of persons who have obtained, or could obtain, the personal information.
- if a security technology or methodology was used and which was designed to make the personal information unintelligible or meaningless to unauthorised persons.
- the likelihood that the persons obtaining the information having the intention of causing harm to an individual.
- the nature of the harm.
Individuals or a business failing to report an eligible data breach may face penalties of up to $360,000 for individuals and $1.8 million for organisations.
When to notify?
It is not intended that every data breach must be subject to a notification requirement. OAIC has issued voluntary Data Breach Guidelines which sets out examples of when data breach notification may be required. For example:
- a malicious breach of secure storage and handling of information including a cyber security incident involving an organisation using third party providers to maintain its web services with databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside the organisation.
- an accidental loss including loss of IT equipment or hard copy documents containing personal information.
- an organisation mistakenly providing personal information to the wrong person or an individual deceiving an organisation into improperly releasing the personal information of another person.
- a negligent or improper disclosure of information including employees disclosing personal information outside the requirements or authorisation of their employment.
How to best manage a notifiable data breach
To avoid a data breach becoming an ‘eligible data breach’ requiring OAC notification, a financial services business must be actively monitoring activities which may potentially give rise to a data breach or data loss and have in place a process to assess and take action in the event that a data breach occurs.
OAIC has prepared a guide to assist businesses and financial service providers to prepare for and respond to data breaches in line with their obligations under the Privacy Act.
Meridian Lawyers can assist you to understand your privacy obligations and advise on the compliance with the Notifiable Data Breaches regime and its impact and in developing a data breach response plan.
For further advice please contact our Financial Services Principal Michael Bracken.
Disclaimer: This information is current as of April 2018. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.