What would you do if your business’ IT systems were the subject of a cyber-attack resulting in disclosure of personal information? Or if an employee failed to securely dispose of customer files? Or if, through human error, customer email details were inadvertently disclosed to the wrong recipients?
Since the COVID-19 pandemic hit earlier this year, and with metropolitan Melbourne back in lock-down due to stage 4 restrictions, many businesses have been forced to operate remotely and have their employees work from home. While challenging for many reasons, these work arrangements bring even greater risk of a data breach, for example, through increased cyber-attacks or the imprudent disposal of customer files and/or personal information.
With the introduction of the Notifiable Data Breach Scheme in 2018, businesses covered by the Privacy Act (the Act) now need to devise and implement a Data Breach Response Plan. Under the Act businesses are also obliged to notify the Privacy Commissioner of certain types of ‘notifiable’ data breaches. A Data Breach Response Plan can assist staff in determining when this may be a live issue, and how to minimise the risks associated with the Notifiable Data Breach Scheme.
What is a data breach?
A ‘data breach’ occurs when personal information is lost or subjected to unauthorised access or disclosure. ‘Personal information’ is information about an identified individual, or an individual who is reasonably identifiable. Examples of personal information include an individual’s name, signature, address, phone number, date of birth, email address, their photograph, credit information, employee record information, as well as ‘sensitive information’ such as information about a person’s health or genetic information, their race or sexual orientation, their political opinions or criminal record.
A data breach may be caused by malicious action (by an external or internal party), human error, or by a failure in information handling or security systems.
The Privacy Commissioner’s recent report (covering January to June 2020) finds malicious and criminal attacks to be the leading cause of data breaches, with human error being the second most common cause.
Examples of human error causing data breaches include loss of a laptop or of paper records, imprudent disposal of documents, sending out a group email using the ‘cc’ function instead of ‘bcc’, thus disclosing third party email addresses.
Data breaches can also occur through inappropriate or fraudulent use of databases containing personal information, by an employee or by an external party. Breaches can have serious effects not only for the individuals concerned, but the businesses responsible, who can suffer reputational damage as a consequence.
What kinds of data breaches need to be notified to the Privacy Commissioner?
Under the Act certain types of data breaches need to be reported to the Privacy Commissioner and/or affected individuals. This is the case where a data breach is likely to result in serious harm to any of the individuals to whom the information relates. This could be harmful to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include:
- financial fraud including unauthorised bank account transactions or credit fraud;
- identity theft causing potential or actual financial loss;
- serious psychological or emotional harm; and
- a likely risk of physical harm or intimidation (including family violence).
What is a Data Breach Response Plan and what must it contain?
When a data breach occurs, a quick and effective response can have a positive impact on people’s perceptions of an organisation’s trustworthiness. Being prepared for a data breach is important for all organisations that handle personal information, and businesses bound by the Act are required to have and implement a Data Breach Response Plan.
The Plan is a framework setting out the roles and responsibilities involved in managing a data breach and details the steps the business should take if a data breach occurs.
Your Plan should outline your business’ strategy for containing, assessing and managing the incident from start to finish. By responding quickly, you can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.
The Plan should include strategies for containing and remediating data breaches and establish a clear and immediate communications strategy that allows for the prompt notification of affected individuals.
The Plan should, among other things:
- enable staff to know what a data breach is and what consequences potentially flow;
- establish clear escalation procedures and reporting lines for suspected data breaches;
- identify the individuals within the organisation who comprise the data breach response team, including roles, reporting lines and responsibilities;
- set out the circumstances where external advice should be sought (such as legal advice);
- provide an approach for conducting assessments of circumstances that may result in a notifiable data breach;
- set out when law enforcement, regulators (such as the Privacy Commissioner), or other entities may need to be contacted;
- include a record-keeping policy to ensure that breaches are documented;
- include a strategy for identifying and addressing any weaknesses in data handling that contributed to the breach;
- provide for regular reviewing and testing of the Plan; and
- set out a system for a post-breach review and assessment of the data breach response and the effectiveness of the Plan.
How we can help
With considerable expertise in devising business’ privacy policies (which are also mandatory for businesses covered by the Act), and preparing and implementing Data Breach Response Plans, KCL Law’s Privacy team can assist you to learn of, and comply with, your obligations under the Act.
More information
For more information on your obligations, or assistance in preparing and implementing a Data Breach Response Plan, please contact Daniel Kovacs, Principal Lawyer, on (03) 8600 8859 or dkovacs@kcllaw.com.au.
Note: This update is a guide only and is not intended to constitute legal advice.