Security Update – Mandatory data breach notification laws to take effect by 22 February 2018
There are 3 areas which all businesses need to address to greatly reduce their exposure to Cyber Risks and they are as follows;
- The 4 layers of Security – Firewall, Endpoint, Email/Cloud and Web. Each with different vendors who are all market leaders.
- The staff – the Internal weak link. This could be malicious loss of data or it could be accidental.
- Monitoring the business 24/7 – using a live Site Incident and Event Management platform with faces on glass in a SOC (security operation centre) running 24/7.
This is now going to be a very big issue:
Take notice – mandatory data breach notification laws to take effect by 22 February 2018 – 5 months away.
From 22 February 2018, it will be mandatory for businesses to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals in certain circumstances if the business suffers a data breach.
Let’s consider these requirements and summarise what your business will need to do to comply.
The rationale underpinning the mandatory data breach notification requirements is to enhance the protection of personal information held by businesses and to enable individuals to mitigate any harm caused by a data breach.
Data breaches (including data which is lost or stolen) are a fact of modern life. It has been estimated that more than 9 billion data records have been lost or stolen worldwide since 2013. Direct selling businesses retain large amounts of personal information relating to their customers and distributors and should recognise that data breaches will occur. Therefore, businesses are encouraged to develop a robust cyber security framework, a data breach policy and a data breach response plan to ensure compliance with the law.
Under Australia’s federal privacy regime, the penalties that can be imposed on businesses for breaches of privacy can be as high as $1.8 million, and the damage caused by data breaches to a business’s reputation and brand can be irreparable.
To comply with the requirements of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Privacy Amendment Act)
Relevant businesses must give formal notice if:
- there are reasonable grounds to believe an “eligible data breach” has occurred; or
- the Australian Information Commissioner (the Commissioner) believes on reasonable grounds that an “eligible data breach” has occurred and directs that business to give notice.
Businesses with an annual turnover of < $3 million are not required to comply with the Privacy Act, unless an exception applies to the business, such as where it collects health information, which is “sensitive information”. Accordingly, while a direct selling business or distributor will not ordinarily be required to comply with the Privacy Act, if they collect health information from customers and distributors in their downlines, they must comply. Health information can include, for example, a person’s opinion about their level of fitness.
What is an “eligible data breach”?
There will be an eligible data breach where:
- there is unauthorised access to, or unauthorised disclosure of, personal information; or
- information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, personal information is likely to occur; and a reasonable person would determine that access or disclosure would likely result in “serious harm” to any individuals to whom the information relates.
What is “serious harm”?
Serious harm is assessed from the standard of the reasonable person. It could include harm which is physical, psychological, emotional, economic, financial or reputational. However, an individual upset or distressed on its own is unlikely to constitute serious harm.
In assessing whether a reasonable person would conclude that disclosure or access would be likely to result in serious harm, relevant considerations include:
- the kind of information and its sensitivity, for example, health information or credit card details;
- whether the information is protected by one or more security measures;
- the likelihood that any of those security measures could be overcome;
- whether a security technology was used to make the information unintelligible or meaningless to unauthorised persons; and
- the likelihood that a person has obtained or could obtain information or knowledge to circumvent the security technology.
Which form of notice is required?
If a business has reasonable grounds to believe an eligible data breach has occurred, or the business is directed to provide a notification by the Commissioner, the business must prepare a statement.
The statement must include:
- the identity and contact details of the business;
- a description of the data breach;
- the kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the data breach.
- A copy of the statement must be given to the Commissioner.
The business should then notify everyone:
- to whom the relevant information relates; or
- who is at risk from the eligible data breach,
- of the contents of the statement as soon as practicable after the business is aware that there are reasonable grounds that an eligible data breach has occurred.
Direct selling businesses may use their usual method of communication when notifying an individual, for example, SMS, a phone call, email or a social media post. If it is not practicable to notify everyone, the business must publish a copy of the statement on its website and take reasonable steps to publicise the statement’s contents.
Are there any exceptions?
Unless an exception applies, notification of an eligible data breach is mandatory.
The Privacy Amendment Act introduces a number of exceptions, including:
Remedial action: if the business takes remedial action in response to an eligible data breach and a reasonable person would conclude that, as a result of the action, the breach would not be likely to result in serious harm to any individuals.
Inconsistency with secrecy provisions: if notification would be inconsistent with Commonwealth secrecy provisions.
Commissioner’s declaration: if the Commissioner declares that the business is exempt from complying with notification requirements for a certain period of time. The Commissioner may make the declaration on the Commissioner’s own volition or upon application by the business.
What are the consequences for contravening the Privacy Act?
Failure to comply with the Privacy Act may be considered as interferences with the privacy of the individual. For a corporation, the maximum civil penalty that can be imposed for a serious breach, or for multiple breaches, of the Privacy Act is $1.8 million. In addition, a corporation may be ordered to compensate an individual for loss or damage caused.
Data breaches by a direct selling organisation can also cause significant damage to the organisation’s reputation and erode the trust that both customers and other participants in the direct selling industry may have in a direct selling business, as well as cause significant business interruption and loss. As we have previously reported, company directors are responsible for cyber security issues and, in the event of a data breach, could be found to be personally liable.
Is your direct selling business (products or services) prepared to handle a data breach?
- Does your business and/or your independent distributors collect sensitive information about your clients?
- Do your independent distributor agreements and/or Policies and Procedures contain privacy obligations?
- Are your independent distributors required to notify you of any suspected data breaches?
These are all matters which you should consider when determining whether your business and your independent distributors are taking reasonable steps to ensure privacy compliance.
As discussed above, the security measures and technology used by a business are important factors in determining whether a data breach has caused or is likely to cause serious harm in the eyes of a reasonable person. This demonstrates the need for direct selling businesses to be better protected and insulated from cyber risks.
In partnership with leading security technology and a Cyber Security framework based on the 3 areas outlined at the start of this message we can assess your resilience level.
Please do not hesitate to contact us to explore strategies to enable your business to develop a robust cyber security framework. Not only will this protect your commercial interests, but it will also ensure that you are prepared to comply with the Privacy Act by 2018.
We encourage you to create a data breach policy and a response plan. The OAIC’s guide to developing a data breach response plan was published in April 2016. The guide is being updated to reflect the changes introduced by the amendments to the Privacy Act.
Also Go Systems can assist with all the 3 items shown above at the start of this blog.
Go Systems is an:
- MSP (Managed Services Provider) – everything infrastructure and SaaS with Microsoft and other major vendors.
- MSSP (Managed Security Services Provider)
The 22 February 2018 is fast approaching; make sure your business is prepared!