For businesses in Australia, the potential reputational and financial risks associated with cyber security and data breach incidents are serious and very real.
Written by Suzie Leask – Associate Director, Australian Business Lawyers & Advisors (ABLA)
Regulators are closely monitoring data protection and privacy law compliance on a global basis, and so are tech-savvy customers. Cyber security is no longer just an IT issue, but must be proactively managed by organisations across all aspects of a business’ operations.
A complex and international legal jigsaw – Notifiable Data Breach Scheme
In February 2018 the mandatory data breach notification regime was introduced in Australia as part of the Privacy Act 1988 (Cth), making businesses publicly accountable for ‘eligible data breaches’ where the access, disclosure or loss is likely to result in ‘serious harm’ to the relevant individuals.
Keep in mind these mandatory notifications have effectively provided the regulator with a window into a business’ privacy compliance program, or lack thereof.
We strongly recommend businesses consider getting legal advice about:
- whether the breach is an eligible data breach such that notification is actually required
- if so, the content of the notification to the regulator and any early remedial steps that should be taken simultaneously with the regulator’s investigations to prevent reoccurrence.
General Data Protection Regulation (GDPR)
The European Union (EU) GDPR also commenced in May 2018, with international reach affecting many Australian businesses, particularly in the digital or online marketplace. The GDPR applies to Australian businesses that:
- are established or have an office in the EU
- offer goods or services to individuals located in the EU (including via the internet)
- export or process any personal data from the European Economic Area
- monitor the behaviour of individuals in the EU.
Businesses that do not comply with the GDPR can face hefty fines of up to the equivalent of €20 million or 4% of annual worldwide turnover, whichever is higher. It’s worth checking to see if the GDPR applies to your business.
Office of the Australian Information Commission (OAIC): a stronger and more resourced regulator
It is clear from reported data, privacy breaches and tough statements issued from the OAIC that we can expect cyber security, data protection and privacy law compliance to continue to be closely watched by regulators globally as they test both the new Australian data breach regime and the reach of the GDPR.
Increased funding to the tune of $25 million over three years has also been announced to give the OAIC additional tools to pursue a more active enforcement approach.
Also pending is proposed increases to the maximum penalties under the Australian Privacy Act for serious or repeated breaches to the higher price of:
- $10 million for serious or repeated breaches (up from $2.1 million), or
- three times the value of any benefit obtained through the breach and misuse of personal information, or
- 10% of the entity's annual domestic turnover.
This, combined with proposed new infringement notice powers and penalties of up to $63,000 for companies or $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches, would bring the Privacy Act into line with other Australian consumer legislation, as well as heading closer toward the stricter requirements and tougher penalties available under the GDPR.
The statistics: a real business problem
In the meantime, the statistics clearly show the reality of the cyber security and data breach threat. In just the first year of the notifiable data breach scheme:
- there were 964 eligible data breach notifications
- 60% were malicious or criminal attacks
- more than a third of breaches were attributed to human error (e.g. sending emails to the wrong recipient).
The percentages were even higher in the health and finance sectors which reported the most breaches and where human error was the leading cause.
This clearly underlines the importance of training staff on privacy obligations and procedures, given they are on the front line of protecting an organisation from breach.
Top five legal tips for a cyber resilient business
With an increasingly online business marketplace and savvy consumers expecting businesses to respect their privacy, it is critical for businesses to get across the complexities of Australian and international data privacy laws and implement practical, organisation wide compliance programs led by a cyber conscious strategy.
At a minimum, to minimise cyber and data breach risks we recommend businesses:
1. Conduct a cyber and data privacy compliance audit
Ensure your business is across the relevant regulatory requirements that may apply to your business. This means everything from up to date privacy policies tailored to your business, including:
- relevant permitted uses and consents as your business services evolve
- collection notices
- cookie policies
- consideration of whether the GDPR applies to you
- privacy by design across your whole organisation
- training your staff who are on the frontline dealing with personal data and sensitive information.
Your compliance strategy should take into account your organisation’s specific, bespoke data lifecycle (including across group companies and business units), from data collection and relevant types of information, permitted uses, disclosure, storage, de-identification, destruction and more.
2. Conduct a cyber security review
Undertake a review of your cyber security position to reduce risks of breach and ensure cyber security is on your agenda, with appropriate policies, training and strategies implemented.
Cyber security is a critical part of your legal privacy obligations, and combined with a comprehensive privacy by design approach to organisational structure, data flows and IT systems, can significantly reduce the likelihood of data breaches and the subsequent public damage to your brand and customer’s trust.
3. Prepare a data breach response plan
Be ready to deal with mandatory data breach notification obligations swiftly and effectively by putting in place a Data Breach Response Plan.
Between human error, malicious cyber attacks and phishing incidents, the reality is all businesses are at risk. Having an effective plan in place that corresponds to the legal considerations can:
- better protect your business
- catch breaches early
- prevent unnecessary harm to your customers
- avoid having to report the breach where no serious harm or eligible data breach occurs where breaches are effectively contained.
4. Overseas disclosure
Businesses should make sure they know where their data is at all stages of the data life cycle, which often means asking IT service providers (both in house and external contractors) where your business’ data is going.
Overseas disclosures or transfer of data, particularly via IT service providers, data centres and cloud storage or hosting services is more common than you think.
Businesses in Australia remain accountable for any breaches of the Australian Privacy Principles (APPs) by overseas third party providers.
You should ensure any IT service agreements impose appropriate compliance obligations that align with the APPs and the GDPR (as appropriate), including obligations to assist you with investigations and mandatory reporting in the event of a data breach.
5. Data retention and destruction policies
Under the APPs, there is a specific obligation on businesses to take reasonable steps to destroy or de-identify personal information once it is no longer needed for any permitted purpose unless required by law to retain the information for a certain period (or another lawful reason).
The OAIC recently reminded all organisations following a bank’s data breach that organisations should proactively manage their data holdings and:
“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date… data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed…"
Failing to do so can increase the risk that personal information will be compromised. Organisations are responsible for enforcing data retention obligations when outsourcing to contracted service providers.
Interested in updating or reviewing your privacy and data breach policies and practices? Get in touch with our cyber and data privacy legal experts for a confidential discussion. ABLA provides competitive fixed fee packages which will help you become compliant.
Get in touch with ABLA on 1300 565 846 or email@example.com today.
A version of this article first appeared on Australia Business Lawyers & Advisors.