New data breach notification laws were recently passed by Federal Parliament and will have important implications for your brokerage and your client’s businesses.
With the new mandatory data breach notification laws now a certainty in Australia, we will have a clearer idea of the cyber risks that prevail in the business environment.
Why? Because the new laws will require organisations to:
- Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if there has been a data breach
- Undertake an assessment process if they are aware of a possible data breach.
New laws will apply to entities currently caught by the Privacy Act, including insurers, insurance brokers and their agents. Organisations will have up to one year to ensure their existing policies and procedures are amended and comply with the new requirements.
In light of this, brokers should consider what opportunities there might be in the context of offering risk management and insurance support for cyber and privacy breaches.
What is data breach?
A data breach occurs where there is unauthorised access or disclosure or loss of personal information held by an organisation and the disclosure would be likely to result in serious harm to the affected individuals. Some exceptions apply.
“Likely to occur” is effectively more probable than not.
Serious harm could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach”.
It is expected that the risk of serious financial, economic or physical harm would be the most common forms of serious harm that may give rise to a notification.
Distress or being upset would of itself not be sufficient. The test is whether a reasonable person in the organisation’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.
Examples of types of data breaches
Some examples that have been provided of data breaches that could trigger notification include:
- lost or stolen laptops, removable storage devices, or paper records containing personal information
- hard disk drives and other digital storage media being disposed of or returned without the contents first being erased
- databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the entity
- employees accessing or disclosing personal information outside the requirements or authorisation of their employment
- paper records stolen from insecure recycling or garbage bins
- mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address
- an individual deceiving an entity into improperly releasing the personal information of another person.
Factors to consider whether a breach has occurred in each case include, among other things, the type of information, sensitivity of the information, the type of security measures in place and who could have obtained the information.
It is important that effective and immediate action in response to data breaches is taken, as the laws provide that if the organisation has taken action to stop disclosure before any serious harm arises then notification is not required.
What do you do?
If you suspect a breach but don’t know for sure:
- as soon as possible, carry out an assessment in accordance with the law (which requires that you consider certain specified minimum matters) of whether there are reasonable grounds to believe that a data breach has occurred
- take steps to ensure the assessment is completed within 30 days of your suspecting a breach.
Once a breach has been established, your obligations are to:
- notify OAIC – this includes your contact details, description of the data breach, the type of information and recommendations about the steps individuals should take in response to the breach
- notify affected persons – this can be:
– individually, if reasonable to do so
– as a group, that is, the entire cohort of affected individuals
– individuals who are ‘at risk’ of the data breach
– on the organisation’s website, if not practicable to notify individually or those at risk.
An additional note for organisations that send personal information overseas: the data breach notification obligations will apply in relation to the conduct of the overseas entity in the same way as if the information were still held by you as the Australian entity.
The practical effect of this is that you will need to ensure your agreements with overseas processors include strict obligations to notify the Australian arm whenever the overseas processor has reason to believe an eligible data breach has occurred as the Australian counterpart will breach its obligation if this is not done.
And if you don’t comply with the assessment and notification obligations OAIC has the power to investigate and make determinations. Penalties could range from remedial action and enforceable undertakings to the more severe civil penalties ($360,000 for individuals; $1.8 million for corporations).
TAKE ACTION NOW
Areas that you can start reviewing include:
- agreements with third parties to whom you may disclose personal information in order to ensure that there are requirements for the third-party providers to notify you of any suspected eligible data breaches (this also applies to organisations who outsource aspects of their operations dealing with personal information to overseas providers, that is, call centres and IT management firms)
- current processes for reviewing any suspected data breaches and implementing procedures to notify any eligible data breaches to the OAIC and affected individuals
- current procedures and processes relating to the security and safety of data, including employee access and use of such information
- IT security procedures and mechanisms to prevent a breach arising
- developing a data breach response plan
- ensuring you have a current IT and data security policy
- ensuring you monitor compliance with IT and data security polices
- the appropriateness of a cyber insurance policy to assist in covering potential exposures.
It is anticipated that the OAIC will update the current “OAIC Data Breach Notification: A guide to handling personal information security breaches” or release other guidance material to assist organisations in preventing, identifying, notifying and containing eligible data breaches. Check out its website.
This article is designed to provide helpful general guidance on some key issues relevant to this topic. A more detailed explanation is available on the NIBA website.