You left your laptop at the pub and it has a copy of your organisation’s debtor ledger and customer list on it – should you be worried?
Your phone goes missing. It is unlocked and can be used to access the servers at work – is that a problem?
One of your staff opens an email attachment seemingly giving details of an ATO tax refund – ransomware has been installed and you are locked out. What should you do?
Notifiable Data Breaches (“NDB”)
When we talk about “privacy”, it is an intangible concept for most of us; we can’t see it, touch it, smell it, or hear it. But we know what it feels like if our own privacy is breached.
With the commencement of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“Privacy Act”) on 22 February 2018, not only is there an obligation on businesses to notify the regulator (the OAIC) about a “serious data breach” but also a requirement to have a Data Breach Response Plan.
Credit Professionals who deal in risk management daily will know privacy is yet another area of business where their risk management skills can come into their own. Protecting the assets of the business is a core responsibility for credit managers. The requirement for an NDB Response Plan is an ideal opportunity for credit managers to shine.
If there has been an “eligible data breach” incident, you have a date with data whether you like it or not. An eligible data breach is where there are reasonable grounds to believe that unauthorised access, disclosure or loss of information will result in serious harm to any individuals to whom the information relates. Here is our checklist of WHAT TO DO when this happens:
1) CONTAIN THE BREACH
- Consider the value of your data – i.e. what sort of data are you dealing with? What is at stake?
- If a breach occurs, move promptly.
- Consider potential and actual data breaches to be serious.
- Consider calling in cyber security experts.
2) ASSESS THE BREACH
- Obtain and evaluate any and all information about the breach
- Determine and understand the risks posed by the breach.
- Have your notification obligations been triggered?
- If required, conduct a formal assessment within 30 days.
3) NOTIFY THE BREACH
- Is notification necessary to the OAIC and affected individuals?
- What information should be provided in the notification?
- How is the notification to be made?
- Consider all your obligations under the NDB Scheme.
4) REVIEW THE BREACH
- What lessons have been learned?
- What actions can be taken to prevent future data breaches?
- How can your security, privacy policies and handling procedures be improved?
- Document the review of the data breach from start to finish.
To make the marriage Response Plan successful, here are our tips for WHAT NOT TO DO:
1) Don’t ignore or delay a response to any actual or suspected data breach;
2) Don’t assume whether it’s a real data breach or not – always assess any data breach;
3) Don’t omit important people or information from the notification;
4) Don’t skip the review or its documentation;
5) Don’t destroy evidence that may be valuable in identifying the cause of the breach.
There are a number of key points that you can take from this article back to your team and business:
1) You need a plan setting out how to deal with any data breach.
2) Think of it like a fire drill - have a team organised and practice your proposed response regularly.
3) Don’t forget your suppliers – in this cloud-based world your data could be held anywhere. APP 11 provides that where an entity “holds data” it means that the entity has “possession or control of a record that contains personal information”. The term “holds” extends beyond physical possession of a record meaning that, if the storage of that record is outsourced to a third party, then the entity will also be responsible in the event of a data breach by that third party.
4) You should ensure that you know how any supplier proposes to manage a data breach. Have they had data breaches in the past? Have they a record and reputation for trustworthy services? Do you need to ensure your contracts will protect your company in the event of a breach?
5) In your Response Plan consider template letters, website notifications, email notifications, an emergency hotline, a press release and engaging external consultants to review your process and security safeguards.
6) Don’t forget to regularly de-identify your data. If you have a data breach incident and your data is years old, you may be forced into advising far more affected parties than strictly necessary. Regular cleansing of the database will ensure any data breach is limited only to current customers.
7) Don’t forget about cyber insurance, which can provide a further tool in your risk management kit.
Don’t Go on a Blind Date – Your Lawyer Can Help You
Your lawyer can offer “relationship advice” when it comes to Privacy matters, including:
1) Carry out a Privacy review and audit to establish exactly what is required for your organisation;
2) Advise on compliance with the Privacy Act and notifications to both individuals and the OAIC;
3) Consider and review any third-party contracts or arrangements to ensure that your company is not unnecessarily exposed to any data breach risk;
4) Negotiate contract amendments with your suppliers and any other contractors;
5) Assist with policies and procedures for privacy and Data Breach Response Plans;
6) Provide template notification documents (i.e. letters, website and email notifications, etc.) in case an eligible data breach does occur;
7) Prepare and deliver privacy training guides for staff; and
8) Any other risk management issues tailored to your organisation.
You can expect to hear over the next 12 months plenty more about this new regime. Certainly, the Regulator has been active and will continue to be so. The Regulator’s website has a large amount of information designed to assist business with its obligations, see https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.
There’s a popular reality TV show where couples (who have never met before) meet at the altar to express undying commitment and loyalty for life to each other, and then spend several weeks mostly experiencing spousal remorse.
The Privacy Act is a bit like that – we swear we are going to faithfully follow its guidelines and promise our customers they can trust us with their most personal information, and then we pay lip service to our obligations. Instead of paying alimony, respondents who breach the Act can be liable for fines ranging up to $2.1 million. Those penalties will simply be insignificant if you consider the damage to reputation and trust when your customers find out their privacy has been breached and you have failed to respond appropriately.
This really is one relationship that you need to make work.