Have You Heard About Mandatory Data Breach Reporting?

On February 22 a new Data Breach Reporting regime was introduced in Australia. Under the Privacy Act, businesses are now required to notify their customers of any data breaches that could cause them serious harm.

What’s Considered a Notifiable Data Breach?

First off, a data breach is considered notifiable if confidential client information becomes accessible or is lost as a result of a breach of the privacy laws that are likely to cause harm to the affected individuals. This means, if your business experiences a breach, you will need to identify any affected individuals and determine whether or not the breach is likely to cause them any harm. In these circumstances, harm is considered to be anything from identity theft to serious physical, emotional, financial or reputational harm.

Some points to consider when investigating any possible harm include:

You will need to investigate the likelihood of serious harm on a case-by-case basis.
You will need to investigate the type of information that was breached. This is because certain data can cause more harm than others when it lands in the wrong hands. For instance, Medicare, drivers licence or passport information can be used for identity theft, so if this sort of information is breached, the affected individuals will need to be notified.
If unauthorised parties obtain access to or disclosure of a combination of information and data, rather than just one type, the breach is more likely to afflict serious harm on the affected individual.

However, if you respond to the breach quickly and efficiently, you might be able to prevent serious harm from occurring in the first place. Therefore, your customers won’t need to be notified of the breach. As you can see, it pays to have systems in place so you can get on top of any potential breaches before they cause serious harm.

How Long Do You Have Before You Have to Report a Breach?

After you identify a privacy breach, you will have 30 days to investigate it and assess whether or not it will be classed as notifiable.

If it is notifiable, you will need to report it to the Office of the Australian Information Commissioner (OAIC) as soon as you are able to do so. The expectation is that you report it the moment you discover your breach is considered serious. From this point, all affected individuals will then need to be notified shortly after this.

What Steps Should You Take to Stay in Accordance With These New Laws?

At this stage, your business will be free to deal with possible breaches in any way you see fit, as long as you notify the appropriate parties in accordance with the new mandatory data breach notification laws. To help ensure you remain compliant with these laws, the following steps could prove helpful:

Update your procedures to ensure all staff knows that privacy breaches need to be reported to the applicable staff member immediately. If you don’t have a specific person responsible for this, now is a good time to assign someone.
If needed, train your staff on the updated procedures.
If a supplier is responsible for notifying your business of any breaches, discuss your procedures with them and ensure they are reporting any breaches promptly.

However, one of the biggest things you should do to protect your business is to ensure you have a suitable cyber liability insurance policy in place. This will help protect your business financially in a worst-case scenario type situation.

Want to know more about cyber insurance and what your new responsibilities are under the new privacy laws? Contact your insurance broker at F.D Beck today!