‘Eligible data breach’
A data breach is any unauthorised access to, or disclosure of, personal information, or any loss of personal information. This applies to far more than malicious acts of hacking or ransomware. It can include, for example, an inadvertent loss of clients’ personal records, or a third-party provider accidentally making client records public on a business’s website.
If the data breach is likely to result in serious harm to any of the individuals to whom the personal information relates, this will give rise to an eligible data breach under the new law.
Preparing for the new legislation
It is important your business understands the new requirements and has the right policies and procedures in place to ensure compliance. It is crucial that, come February 2018, your team knows:
- what constitutes a breach;
- how to make an assessment of serious harm;
- what the exemptions from notification are; and
- the potential consequences of failing to notify.
To help you to identify when a data breach has occurred, and assess your exposure to risk, you must first understand and document how personal information is collected, used, disclosed, accessed and stored within your business. Having done so you should then develop a response plan for a data breach incident. This will address:
- how your business will respond to a data breach;
- the internal team members who will be responsible for assessing a breach; and
- how a data breach must be reported internally, assessed and (if necessary) notified.
You should have such a plan to ensure your business is ready and able to comply with the scheme if a data breach occurs, and your team know what do if they become aware of, or even suspect, a data breach or other cyber security incident.
You should also review your business’s insurance cover to consider whether cyber insurance might be an appropriate risk mitigation strategy.
Further information on the new Mandatory Data Breach Notification laws is available at https://www.oaic.gov.au/.