Itʼs not too dramatic to say: Itʼs not a question of if your business will suffer a data breach, but when. In late May, 100,000 Westpac customer records have been compromised, the Australian National University has suffered a sophisticated cyberattack, the Australian Catholic University staff database has been compromised and the Commonwealth Bank has suspended a supplier for a second data breach affecting CBA customersʼ data. The CBA supplier, Landmark White, had already lost $7M worth of business from the first breach.
And thatʼs just the data breaches that attract media attention. Smaller businesses, including lawyers, accountants, schools and health care providers,
are attacked daily. The health services sector suffers more data breaches than any other.
In this article weʼll explain how a data breach might occur and how you should respond, including your legal obligations.
What is a data breach? How could it happen?
A data breach occurs when information your business holds is compromised – lost, stolen or sent to the wrong person. If personal information is included then the Privacy Act kicks in and the Privacy Commissioner might have to be notified.
The Privacy Commissioner keeps statistics about notified data breaches. They show that in the last year, 60% of breaches were caused by malicious or criminal attacks, 35% were due to human error and 5% were caused by system faults.
The majority of incidents due to malicious or criminal activity were caused by peoplesʼ login credentials being compromised or stolen. The biggest cause of that was phishing activity (when an employee is contacted by email or text message by an imposter to trick them into providing personal information or passwords).
The most common human error was couriering, posting or emailing personal information to the wrong person. Other simple errors included the loss of information or storage devices or insecure disposal of information (not using secure document destruction).
What you should do
If your business suffers a data breach, there are certain actions we recommend you take and there are obligations you are legally obliged to undertake…
An eligible data breach happens when:
- there has been unauthorised access, disclosure or loss of personal information or the information has been lost in circumstances where unauthorised access or disclosure is likely to occur (e.g. the loss of paper files or an unencrypted laptop); and
- if a reasonable person would conclude that, because of that breach, there is a likely risk of serious harm to any of the individuals to whom the information relates.
Likely risk of serious harm
Your first responsibility is to work out if a data breach has occurred and, if you think it has, to take steps to stop any more information being lost.
At the same time you should be working out what information and which individuals might have been affected and whether there is a likely risk of serious harm to those individuals.
The good news is that itʼs up to you to make that decision – itʼs your opinion about whether there is a likely (more probable than not) risk of serious harm. In this case, ‘harmʼ includes financial, physical, emotional and reputational harm.
But you have to make that decision expeditiously and based on reasonable enquiries – that is, you have to investigate the breach. Inaction is not an option. You might need to call in IT security experts and privacy consultants to help you make that decision.
So, if you suspect an eligible data breach has occurred:
- you must undertake an assessment;
- that assessment must be reasonable and expeditious;
- it should be completed within 30 days; and
- once youʼre aware of an eligible data breach – you must give notice.
Giving notice of a data breach
If there has been an eligible data breach your obligations include:
- notifying individuals whose personal information is involved in the breach that is likely to result in serious harm to them; and
- notifying the Privacy Commissioner of the breach, who has website guidance on what to do.
The notice has to contain at minimum:
- your name and contact details;
- a description of the breach;
- a description of the kinds of information concerned; and
- the recommended steps for affected persons to take in response to the breach so they can protect themselves.
So thatʼs a brief summary of your legal obligations. What weʼve learned is:
- Donʼt panic!
- Not all breaches are notifiable, so get good advice and donʼt notify unnecessarily.
- If the breach is notifiable, honesty and speed are best.
- Itʼs better to confess than to be found out.
- The trust of your customers and your reputation are at stake.
- That loss of trust could lead to a loss of revenue if major customers drop you – think of Landmark White, the CBAʼs supplier.
- The Privacy Commissioner is not there to punish you but to help minimise harm to the affected individuals.
About the Author
Ted Ringrose is a Partner of Ringrose Siganto, a law firm specialising in privacy law. Ted read history and law at the University of Queensland and has a Master of Public Affairs from the University of Sydney. He specialises in privacy law and telecommunications law.
— Note: This does not constitute legal advice and is for general information only.