Uber has been subject to a data hack of colossal proportions which it attempted to sweep under the carpet by paying ransom to the hackers.

The data, which contained the names, email addresses and mobile numbers of some 57 million users, was stolen from a third-party cloud server used by Uber.

The incident raises several questions; namely, how vulnerable are third party cloud services to attack? When, if ever, is it acceptable to pay hackers a ransom? However, the question most relevant to Australian businesses is what obligations do organisations and individuals have under the imminent data protection amendments.

The cover-up has surfaced less than 100 days from the Privacy Amendment (Notifiable Data Breaches) Act 2017, which is set to come into effect on February 23, 2018. The forthcoming legislation applies to government agencies and organisations covered by the Privacy Act. This means that state government organisations, local councils, and companies with a turnover of less than $3 million a year may fall outside the legislation (with some exceptions for organisations handling sensitive data such as health records). The newly-passed law requires that organisations, upon recognising a breach or loss of data, report the incident to the Privacy Commissioner and notify affected customers. The notification must include a description of the data breach, the nature of the information lost or stolen, and an explanation as to how customers should respond.

Individuals who do not comply face penalties of $360,000, while organisations in breach face fines up to $1.8 million.

Under the new legislation, a serious breach involves the unauthorised access, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to the individuals involved. Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.

Indeed, Uber is a prime example of what not to do under Australia’s forthcoming framework.

Rankin & Co. urge that any business suspicious of data breach seek legal counsel. Contact Rankin & Co. to learn how the upcoming amendment effects your business.