What HR needs to know about the new data breach laws

With the new data breach notification laws taking effect this month, HR needs to be aware of how they could impact their organisation.

How many businesses can you name who have been involved in high profile data breach incidents? Uber, Heathrow Airport and Equifax are among the many organisations which have had their data security systems hacked or compromised, and that’s only in the past two years. And who can forget the Ashley Madison website data breach of 2015, when the personal information of thousands of would-be, or actual, adulterers was stolen and leaked onto the internet for all to see?

Even if your business doesn’t possess such compromising data, it’s highly likely your business is still holding personal information which is subject to the Australian Privacy Principles – such as employees’ and customers’ names and addresses. If this is the case, you should be aware of some recent changes to Australia’s privacy laws, which are going to take effect this week.

The old “Wild West” of data breach disclosure

Prior to the implementation of these new laws, Australian businesses were actually not required (strictly speaking) to report data breaches to the Office of the Australian Information Commissioner (OAIC), or even notify the individuals affected. While disclosure was encouraged and is a prudent step in reducing public relations damage, businesses were largely left to manage their own obligations and compliance with the Australian Privacy Principles. This is no longer going to be the case.

The new laws

Effective from 22 February 2018, a new “Notifiable Data Breaches scheme” will be operational and will apply to all organisations with obligations under the Australian Privacy Principles. In essence, the new scheme will introduce an obligation to inform people whose personal information is exposed by a data breach likely to result in “serious harm” to those people. OAIC must also be notified about these data breaches.

The term “serious harm” is curiously not defined in the new laws. OAIC has published some new guidelines on this topic, which suggest that serious harm may include serious physical, psychological, emotional, financial, or reputational harm. It also recommends that the risk of serious harm be assessed holistically, having regard to both the likelihood of harm to the individuals involved, and the consequences of that harm.

We generally recommend that businesses whose data has been compromised, take a conservative approach when assessing harm, and to err on the side of the concluding that serious harm was involved, rather than not.

If a data breach is covered by the new scheme, the notification obligation will generally involve two steps:

1. preparing a statement which contains certain required information about the data breach (eg. about the nature of the information involved); and
2. providing the statement to OAIC, and notifying the affected individuals.

If your business only suspects that a data breach has occurred, it is not required to comply with the notification obligations immediately. However, your business will need to complete an investigation into the relevant circumstances within 30 days. Ignoring the problem won’t make it go away!

What happens if your business doesn’t comply with the new scheme?

A failure to meet the requirements of the new scheme will be considered equivalent to interfering with the privacy of an individual under Australia’s privacy laws. This will allow OAIC to investigate, make determinations and provide remedies for non-compliance with the privacy laws. OAIC can also instigate various consequences for offenders, including public apologies, compensation payments and, for serious breaches or repeat offenders, civil penalties. The civil penalties are currently up to $420,000 for individuals and up to $2.1 million for companies.

What is your business required to do now?

1. OAIC has prepared a useful guide which explains the intricacies and requirements of the new scheme. We recommend you review this guide to ensure you are up-to-speed with the new scheme and what it means for your business.
2. As always, failing to plan is planning to fail. We recommend that your business prepare a data breach response plan (or update its existing plan), to ensure that it is ready and able to respond to any future data breaches, while complying with the new scheme.
3. Most importantly, you should review your current information security arrangements to ensure they are up to date and sufficient to protect the integrity of any personal information your business is holding. After all, if you can prevent the problem arising, you won’t need to worry about the solution!