The Office of the Australian Information Commissioner (OAIC) recently released the first quarterly report since the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 on February 22. The results starkly highlight how easy a breach can be, with more than half of the reported breaches being from human error (51%).
OAIC also reports that almost half of all other breaches were due to malicious attack (44%); it seems many people are looking for a piece of the cybercrime pie, which is estimated to cost the globe $6 trillion annually by 2021.
The fact is, it’s not a matter of ‘if’ a breach will occur, but a matter of ‘when’.
With this in mind, it’s essential for any organisation with a turnover of more than three million dollars annually and all organisations for which the below statements are true, to make a firm-wide commitment to ensure every person in their organisation knows the implications of a data breach, for themselves and their organisation.
- entities that provide health services.
- entities related to an APP entity
- entities that trade in personal information
- credit reporting bodies
- employee associations registered under the Fair Work (Registered Organisations) Act 2009, and
- entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy
The costs for non-compliance for an individual is $360,000 and $1.8 million dollars for the organisation – which alone should be enough incentive to ensure you have implemented a notification-ready breach management protocol.
However, these fines should not be viewed and approached as a scare-tactic; rather their aim is to effectively tackle a growing issue related to protecting our own and others privacy and the respectful treatment of our information, so we can have more confidence in our communities. It also gives individuals the opportunity to take steps to minimise damage that can result from unauthorised use of their personal information.
Handling a response
When it comes to compliance, it is not so much the actual data breach, but the way your organisation responds which matters.
A data breach can include losing a device, hacked databases, information mistakenly sent and even verbal breaches of personal information. It’s important to note that not all breaches will occur electronically and could be as easy as a statement sent to the wrong client.
To improve the way your organisation responds to a breach, it’s critical your organisation has documentation to support the notification workflow, which clearly states how you will assess risks and take action.
This includes implementing and updating your key documents such as a Mandatory Data Breach policy, procedures, breach checklists, incident logs, media policies and business continuity plans.
When it comes to responding, all cases must be reviewed on a case by case scenario and your actions need to be timely and appropriate. You have thirty (30) days to notify of a breach, from the day you became aware of it.
Organisations who encounter a suspected data breach will need to be prepared so they can conduct quick assessments to determine if they are likely to result in serious harm and notify any individuals likely to be at risk of serious harm. In the case of a serious breach, the Australian Information Commissioner must also be notified. The notification must also include recommendations regarding the steps that individuals should take in response to the data breach.
So, what types of things are considered serious harm resulting from a breach?
- the loss of public trust in the organisation / reputational damage
- identity theft
- financial loss or exposure
- threat to physical safety
- threat to emotional wellbeing
- loss of business or employment opportunities
- workplace or social bullying or marginalisation
- regulatory penalties (e.g., for breaches of the Privacy Act)
- extortion
- legal liability
There are four key steps to consider when responding to a breach or suspected breach
First, contain the breach and do a preliminary assessment by following your procedure document and checklist. Secondly, evaluate the risks associated with the breach upper management. Next, notify initially those involved and brief them on the action being taken. If remedial action is successful in making serious harm no longer likely, OAIC notification is no longer required. Lastly, it is important to prevent future breaches, by reviewing not only an incident review, but also a review of policies and procedures effectiveness.
Although having effective policy and procedures in place is crucial there are other ways to build awareness and reduce the number of data breaches within your organisation. These include:
- Conducting user training
- Knowing your options for data transfer
- Utilise encryption options
- Deploy intrusion detection and prevention
- Stop “dodgy” downloads
- Apply comprehensive and up to data patching
- Adjust insider behaviour
- Ensure back up procedures
- Perform vulnerability tests
- Be vigilant!
Creating open feedback channels and an environment where staff are not afraid to ask or report is essential for making this system work.
What now?
During the first 12 months of the scheme’s operation, we understand that the commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.
The key takeaway for everyone is to be alert, be aware, accurately assess, notify… and let commonsense prevail.
For further information please contact your local William Buck office.