Kmart, Deloitte, Yahoo, Virgin America and the C.I.A. – no doubt these names are familiar to you, but did you also know that these organisations (and others) were all involved in some of the biggest data breaches of 2017?
Your digital footprint and your data is everywhere, you hand it over unwittingly every day of the year. When you sign up to Uber, Menulog, Facebook, Twitter, Internet banking, LinkedIn, Opal Card etc. you are often providing your name, address, gender, birthdate, occupation – all types of information that can identify you as an individual.
Does it matter? It should, because companies can and do use that information to track our movements, our tastes in fashion, culture, likes and dislikes, our preferences and buying habits. Companies are geared and organised to capture data for many reasons, including sales and marketing purposes.
Where is all this headed….
It is apparent that Privacy is a major issue for business especially in the data driven world of “fake news”. No one wants to deal with a business that cannot be trusted, and it is well past the time where Privacy obligations can be treated off-handedly by any business or organisation.
Where are we today?
If we look at existing privacy requirements in Australia, we find a regulatory regime that requires transparency from your business to disclose (amongst other things) where you hold personal information or data, whether that information and data is shared with others, who can access it, what consents may be necessary, how you protect it, how long you can keep it and what use will you make of it.
What’s Happening in February 2018?
The next major shift for Privacy will be mandatory data breach notification. The Privacy Amendment (Notifiable Data Breaches) Act 2016 (“the Act”) will commence on 22 February 2018. The Act deals with data breaches and there are penalties of up to $1.8m for serious or repeated failures to comply with notification requirements. The Act applies to any organisation that is subject to the Privacy Act 1998 (i.e. one example is any organisation with a turnover of more than $3m per annum).
The Act refers to unauthorised access to or disclosure of information or circumstances where information is lost. This could be as a result of a hack, a purposeful breach by a disgruntled employee or just pure human error. If such a breach did occur (this is called an “eligible data breach”) AND a reasonable person would conclude that the access, disclosure or loss would likely result in serious harm to any of the individuals to whom the information relates THEN there is a mandatory obligation to report that breach to the Regulator, the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
Serious harm includes physical, psychological, emotional, economic, financial or reputational harm that a reasonable person in the entity’s position would identity as a possible outcome of the data breach.
What can we do now….?
Start taking Privacy seriously. The OAIC does, and your Customers expect you to treat their personal information with the respect it deserves. Once you decide compliance is good for business then consider a Data Breach Response Plan to:-
(a) Inform the OAIC of the breach;
(b) to provide contact details;
(c) provide a description of the serious data breach;
(d) detail the kinds of information concerned; and
(e) provide recommendations about the steps that individuals affected should take in response to the serious data breach.
A proper compliance programme, a culture of accountability and transparency and a self-reporting environment is only the first step. If organisations do not take Privacy seriously then they will be left behind by their competitors. Data breaches will occur, how will you react is the real question.
About the author
Ledlin Lawyers is a boutique legal firm of specialist business, credit and insolvency lawyers. For more information, go to www.ledlinlawyers.com.au