The Australian senate yesterday passed new laws that will require businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach.
It brought an end to five years of uncertainty as both sides of politics made attempts to get a mandatory data breach notification scheme up and running.
But what does the Privacy Amendment (Notifiable Data Breaches) Bill 2016 mean for your business, and what constitutes a breach?
When does the scheme start?
The government will designate a specific start date for the scheme to begin operation at some point in the near future.
The legislation gives the government a year to pick a date, otherwise the law will kick in 12 months from when it receives royal assent from the governor-general (a final formality expected within the next few weeks).
Update: the legislation will come into force from February 22 2018.
What do I have to do?
Entities must notify the Privacy Commissioner and affected customers "as soon as practicable" after becoming aware that a data breach has occured.
In cases where an organisation suspects a data breach has occured, it must undertake an assessment into the circumstances within 30 days to ascertain whether or not it has actually occured, and therefore whether it needs to notify.
Who do the laws apply to?
The legislation covers government agencies and organisations governed by the Privacy Act.
It means state government organisations and local councils, plus organisations with a turnover less than $3 million a year, do not need to comply with the legislation.
Similarly, if notifying customers will prejudice law enforcement activities, police and intelligence agencies need not comply.
If an organisation has taken remedial action after a breach that means it's unlikely the incident will result in serious harm to affected individuals, it also won't be required to report the incident.
For example, the legislation offers a notification reprieve if an individual agrees to delete information that has been mistakenly emailed to them by someone else, or if a stolen or lost device can be remotely wiped before it is accessed.
How do I know if a breach is serious enough to report?
The legislation considers a data breach to have occured when there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure".
It includes things like malicious breaches of secure storage and information handling (i.e. a hack); accidential loss of, for example, a hard drive or soft-copy documents; and negligent and improper disclosure of information.
Information considered to be "personal" covers identifying details, credit reporting information, credit eligibility information, and tax file number information.
A data breach is considered eligible under the mandatory reporting requirements when a "reasonable person" would conclude there is "a likely risk of serious harm" to those affected by the breach.
This harm threshold covers "serious" physical, psychological, emotional, economic, and financial harm, as well as serious harm to reputation.
A "reasonable person" would need to be satisfied that the risk of serious harm occuring is more likely than not. Just being upset that your data has been disclosed or accessed without authorisation is not enough to force a company to notify.
What happens if one of my partners accidentally exposes my data?
The Australian Red Cross Blood Service unwittingly claimed the crown for the country's biggest ever data breach when its website partner Precedent accidentally exposed 1.28 million of the blood service's records online.
Outsourcing arrangements like these are a dime a dozen, so what does it mean if your IT partner makes a bungle that sees your data exposed?
The legislation says that if more than one entity holds the same personal records, a breach at one could constitute a breach at the other.
But it also considers that both organisations have complied with their reporting obligations if only one notifies. The organisations are allowed to decide amongst themselves which will do the reporting.
What do I need to put in the notification, and how do I tell my customers?
A notification to the Privacy Commissioner and affected individuals needs to include the company's name and contact details, a description of the breach, the kinds of information involved, and recommended actions those affected should take to protect themselves.
An organisation can notify customers via the normal methods they use to communicate with them. This approach is suggested so customers don't dismiss the notification as a scam.
The legislation requires a company to take "reasonable steps" to inform customers of the breach, such as through email, phone, or post.
Organisations have discretion to notify their entire customer base, or just those they deem to be at risk as a result of the breach.
If an organisation can't notify customers, it can publish a notification to its website.
What happens if I don't notify?
In short, a failure to comply with notification rules can incur fines of up to $360,000 for individuals and $1.8 million for organisations.
Initially the Privacy Commissioner can issue a written direction requiring an organisation to notify of the breach if they discover it has occured.
From there, penalties for non-compliance start from less severe sanctions like public apologies and compensation payments, up to the aforementioned civil penalties, which kick in when the Privacy Commissioner considers there to have been "serious or repeated non-compliance".