What to Do Under New Data Breach Laws

There is no sound more cringe-worthy than the ‘whoosh’ of a misdirected email. As of today, that moment of realization- the moment the email escapes your outbox and takes with it all the air from your lungs – will be even more agonizing. Under the Notifiable Data Breaches (NDB) scheme, businesses must fess up to the exposure of sensitive information. Besides salting the wounds of the accidental sender, notification exposes a business to serious reputational damage. However, contrary to the bulk of reporting we have seen on this matter, notification is not always required. It is essential that businesses understand when and, equally important, when not notification is mandatory.

A Snapshot of the NDB Scheme

Under the NDB scheme (effective as of today), certain entities must notify the government and all relevant persons if they lose, expose or have stolen, data which is likely to result in serious harm to any individual (an eligible breach). Failure to comply may result in fines of up to $1.7M.

Who Must Comply with The NDB Scheme

The scheme applies to entities already bound by the Privacy Act 1988. This includes government agencies, businesses and not-for-profits with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

What to Do in Case of a Breach

If there has been an eligible breach, the entity must promptly notify all individuals at risk, as well as the Office of the Australian Information Commissioner (OAIC). The notification must include the following information:

  • The identity and contact details of the organization;
  • A description of the data breach;
  • The kinds of information concerned and;
  • A recommendation of the steps individuals should take in response to the data breach.

Willful ignorance is no excuse under the scheme. An organization is obliged to undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm.

Mitigating the Need to Notify

There is a common misconception that a data breach of any kind must be immediately notified; a fiction that is likely the product of partially informed click-bate. On the contrary, if an entity takes remedial action such that the breach is not likely to result in serious harm, then notification is not required.

Example of Remedial Action

For the sake of exposition, let’s return to the rogue email example. Suppose that a business misdirects a sensitive email; the question the business must ask is whether a recall email will quell the risk, or whether notification is required. According to the OAIC, this will depend on the relationship between the sender and the recipient. If there is a prior relationship of trust or confidence, then a simple recall email will likely suffice, in which case notification exposes the business to unnecessary reputational damage. If, however, the recipient is a stranger, then a recall email is likely insufficient and notification will be required.

Mistakes in the handling of data are common and there will be a subset of mistakes which can be ameliorated without the need of exposing one’s business to damage. We urge that businesses seek legal counsel to determine whether or not remedial action is sufficient.

For further information on remedial action and the scheme more generally, click here

This article is for general interest purposes only and does not constitute legal advice. For tailored legal advice, contact Rankin & Co.