Data breach – be aware and prepare
Be Aware
On 22-Feb-2018 a new amendment to the Australian Government’s Privacy Act 1988[1] came into effect and introduced new legal requirements for entities to respond to and report data breaches involving personal information.
Organisations that ignore their obligations under the Australian Privacy Act and poorly manage personally identifiable (customer) data can no longer hope to survive by hiding in the shadows. They will be discovered, and they will be exposed (publicly).
The Notifiable Data Breach (NDB) scheme[2] applies to entities which already have obligations under the Australian Privacy Act (such as the 13 Australian Privacy Principles, listed below) and includes all Government agencies as well as many private sector and not-for-profit organisations where annual turnover exceeds $3 million.
The new laws have implications for the retail industry – given the amount of customer interaction and data that is collected in order to provide a personalised customer experience that is now expected – but I would argue it’s for the better.
Each entity is ultimately responsible for determining their own obligations under the law, and should be aware of the changes and assess their individual specific circumstances against the guidance provided by the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme
What Changed
The new laws do not remove any existing legal obligations under the Privacy Act – including the 13 Australian Privacy Principles (APPs) which were introduced in 2014 to replace National Privacy Principles.
The 13 APPs are:
- Open and transparent management of personal information – including having a clear and up to date privacy policy.
- Anonymity and pseudonymity – ensuring individuals have the right not to identify themselves.
- Collection of solicited personal information – and ensuring higher standards are applied to ‘sensitive’ information.
- Dealing with unsolicited personal information and how it is to be managed.
- Notification of the collection of personal information and under what situations this is required.
- Use or disclosure of personal information and the situations when this may occur.
- Direct marketing and the conditions that must first be met.
- Cross-border disclosure of personal information and steps that must be taken before doing so.
- Adoption, use or disclosure of government related identifiers such as driver’s licences or passports.
- Quality of personal information, including ensuring it is accurate, up to date and relevant to the intended use.
- Security of personal information and requirements for preventing its misuse, loss or unauthorised access.
- Access to personal information and the entities obligations to provide it once a request is made.
- Correction of personal information.
The new laws are primarily aimed at ensuring entities that manage, and store personal data are made accountable for it. The threat of legal recourse is an incentive for entities to ensure they have implemented reasonable measures to prevent data breach and loss of personal data that is under their control.
Specifically, entities are now legally obligated to report (to the persons involved and to the Government) any instances where a data breach is “…likely to result in serious harm to any individual whose personal information is involved” (Office of the Australian Information Commissioner, 2018).
What does it mean
The new laws don’t prevent the collection of data – but rather impose more stringent controls on entities who do. They also encourage and provide guidance for the proper handling and management of that data.
The laws don’t just apply to your customer database(s) – they apply to anything that is used to store personally identifiable information – including, but not limited to:
- Financial systems and payroll.
- Email and text messages.
- This also extends to data stored on mobile devices such as smartphones, laptops and USB drives – which are highly susceptible to both loss and theft.
If it hadn’t already been on the agenda, these new laws will ensure information security is now right on top of a business’s priority list and it needs to be taken seriously. Businesses must evolve and become more informed and smarter in this always-on, always-connected digital age. Some will see this as a burden on their businesses, while others will see it as an opportunity and will embrace it.
So, Our Data is Safe Now… Right?
If history tells us anything, data breaches are real, and occur all the time. But if multi-million and billion dollar organisations such as Yahoo, Facebook, Uber, Equifax, Target, and Sony are unable to protect themselves – what hope do the rest of us have?
This is a good question – and not one I think I can answer easily. For some, the effort needed to ensure adequate measures are in place may be simple and straight forward. For others, it could be quite involved. Again, it depends on what data is being managed, where it resides and what its intended purpose is.
The cynic in me ponders the question on the value of personal data when held with an entity whose annual turnover does not meet the $3 million annual threshold.
Quite legitimately, I could be a business entity who sells high end sports cars (Lamborghinis, Ferraris, etc). I may only sell to 15 customers in a year and in doing so I exceed the threshold and am now obligated to report any data breach.
However, if I have a small online store and sell low price gifts ($10-$20), I could quite easily have thousands of customers – yet not exceed $3 million in annual turn-over and not be obligated to report a data breach.
There is no doubt in my mind however, while the new laws are a step in the right direction, they will not stop data breaches – they will simply ensure we are notified when they occur.
[1] Australian Government – The Privacy Act 1988 – https://www.oaic.gov.au/privacy-law/privacy-act/
[2] Notifiable Data Breach Scheme – https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme