Did you know that as of 22 February 2018, your business may be required to notify the Australian Information Commissioner if you experience a data breach? Is your business ready? Do have a data breach response plan in place?
Data breaches are becoming more common place in Australia. We are frequently hearing media reports about businesses being victim to hacking. However, data breaches also occur when businesses have technology problems, system errors or are negligent. It can be as simple as providing personal information to the wrong person or by leaving highly classified information in filing cabinets that are subsequently sold. Regardless of the way the information is released and who is at fault, a data breach can cause great harm to a business.
What do you need to know to get ready?
Firstly, you need to know if these mandatory data breach obligations apply to your business. If your business is already obliged to comply with the Australian Privacy Act 1988, these data breach obligations will apply. This is not limited to businesses with an annual turnover of more than $3 million. For example, these obligations can apply to businesses or organisations with less turnover but trade in personal information.
Next, you need to know your obligations. Your business must notify a data breach if the breach is likely to result in serious harm to any individuals whose personal information has been compromised. The notification must be made to both the Australian Information Commissioner (OAIC) and the affected individuals. This notification process usually means the breach will become public.
Finally, you need to implement a compliance plan. Your swift action can not only minimise your liability and reinforce public confidence in your information handling capacity, but it can also relieve your reporting obligations if you take prompt action and avert the risk of serious harm. If you are not able to avert serious harm, you are required to notify the data breach as soon as practicable. Without a plan in place, your ability to respond quickly will be inhibited and you put your business reputation at risk. A data breach response plan also demonstrates that your business takes data security seriously and is a further factor the Australian Information Commissioner takes into consideration in its investigations.
There are serious penalties if your business fails to comply with these mandatory data breach obligations. In addition to other court orders and further investigations by the OAIC, the legislation provides a maximum penalty of $360,000 for individuals and $1,800,000 for corporations.
Contact us if you want any further information on these mandatory data breach notification laws or assistance to prepare a data breach compliance plan.