Earlier this year the new Mandatory Data Breach Notification laws came into effect. This means that if there is a data breach in your business, you are required by law to notify your customers, failure to do so can result in fines up to $2.1 million.
So what do you need to know?
What is a data breach?
A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation.
Examples of a data breach can include:
- A device that holds customers information is lost or stolen
- A database storing customer information is hacked or accessed without consent
- Personal information is sent to the wrong person
When should you send a notification?
You need to send a data breach notification when the breach is likely to result in ‘serious harm’. Examples of serious harm include:
- Financial loss through fraud
- Identity theft
- Risk of physical harm, such as by an abusive ex-partner
- Psychological harm
- Reputational harm
How to notify users?
You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).
You have a maximum of 30 days to notify the affected parties.
What should be included in the notification?
The following should be included in your notification:
- The personal information involved in the breach
- A description of the data breach
- Your contact details
- Recommendations for steps the affected parties can take to minimise harm
A staff member loses a USB containing clients’ personal information on their way to work. The USB had client’s names, tax file numbers, and financial information. The USB is not encrypted or password protected.
The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft, or to send malicious emails. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.
In this scenario the organisation has taken the correct steps to notify users of their potential breach and would not be liable for fines under the Mandatory Data Breach Notification law.
The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.