While Australia’s new mandatory data breach notification laws could result in civil penalties for companies that seriously and repeatedly fail to comply, non-compliance with Europe’s even more far-reaching data protection legislation may expose them to even harsher punishments – despite being so far removed geographically.
In addition to outlining specific guidelines for compliance, the Privacy Amendment (Notifiable Data Breaches) Act 2017, effective 22 February this year, also brings with it penalties for serious and repeated failure to comply.
The new laws reflect a global shift of governments, aimed at returning to consumers control over their personal data.
It requires public and private sector organisations (including private schools), with an annual turnover of more than A$3 million to promptly report data breaches – that are likely to result in serious harm – to both the Office of the Australian Information Commissioner (OAIC) and to those who may be potentially affected by a data breach.
The Explanatory Memorandum for the NDB Act recognises the potential for serious psychological, emotional, economic and financial harm.
Interestingly, the NDB Scheme applies to both not-for-profit organisations and some small and middle-sized enterprises earning $3 million or less that are health service providers, involved in trading in personal information, plus contractors that provide services under a Commonwealth contract or credit reporting bodies.
The most common examples of companies having to notify the OAIC and affected individuals under the NDB Scheme include loss or theft of a device containing customers’ personal information, when a database containing personal information is hacked, and/or personal information is mistakenly provided to the wrong person or released to the public.
Immediate remedial action
To demonstrate willingness to comply with the NDB Scheme, we encourage companies to have an up-to-date data breach response plan.
Data breaches involving personal information that are likely to result in serious harm to any individual affected are referred to as ‘eligible data breaches’. Companies need to take effective remedial action to prevent unauthorised access to, or disclosure of, information when it is lost or to prevent any serious harm resulting from the data.
However, if a company takes the necessary remedial action, it will not be required to notify affected individuals or the OAIC.
If companies suspect an eligible data breach has occurred, they’re required under the Act to take reasonable steps to complete such an assessment within 30 days.
Where an entity fails to realise that there are reasonable grounds to suspect that an eligible data breach has occurred, or fails to undertake an adequate assessment, the OAIC may direct the entity to notify individuals affected by the breach.
Specific information to be included within the breach notification include name and contact details of the entity, the information affected and recommended steps individuals can take in response to the breach.
Where it’s not possible to notify affected individuals directly, the company must publish a copy of the statement on its website and take reasonable steps to bring its content to the attention of affected individuals.
Financial and reputational risk
In addition to damaging them in the eyes of customers and the market at large, companies that aren’t sufficiently protected from and/or prepared to respond to data breaches, also risk significant financial penalties under the NDB Scheme.
Failure to report an eligible data breach will be considered an interference with the privacy of an individual affected, and could be the subject of a complaint to the Privacy Commissioner.
While company directors or management won’t be personally liable for such serious or repeated interferences with the privacy of an individual, companies can be exposed to civil penalties of up to $2.1 million.
No immunity from cross-border risk
In just a few weeks, it will be impossible for any organisation operating in a global marketplace, to ignore laws geared towards increased data protection and here’s why: Given that it also addresses the export of personal data outside the European Union (EU), the EU’s new General Data Protection Regulation (GDPR), effective 25 May 2018, has serious implications for businesses in Australia.
As well as imposing administrative fines of up to €20 million, the GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from infringement. In light of these harsh penalties, Australian companies must ensure they successfully delete personal records, especially where storage within multiple locations makes it difficult to ensure the data deleted is really gone.
Review and update rather than ignore
Rather than trying to ‘run the gamble’ and sweep data breaches under the carpet in the hope no one will find out, we urge all affected companies to review and update their policies, processes, staff training, IT security systems, technology solutions and third-party engagement, to ensure compliance with this new wave of regulatory requirements.
Given that data protection affects the entire business enterprise, and not just those in IT, companies should also review and update the appropriateness of their cyber security and, where necessary, collaborate with customers to improve privacy protection. A chat with our security and privacy services specialist Michael Shatter and his team may be a good place to start.