The new regime relating to mandatory notification for data breaches comes into effect from 22 February, 2018. Currently, organisations holding sensitive information have discretion as to whether they disclose data breaches to affected customers and clients and/or the Privacy Commissioner.

Once effective, the new regime will require agencies and organisations that are subject to the Privacy Act 1988 to notify the Office of the Australian Information Commissioner and affected individuals in instances where there has been an "eligible data breach" of personal information held.

Given the extent of sensitive information that accounting firms hold on behalf of their clients, it is essential that your organisation is familiar with the requirements of the new regime and you ensure you are ready to respond quickly should a data breach occur.

What is an eligible data breach?

An "eligible data breach" occurs when:

  1. There is unauthorised access to/or unauthorised disclosure of information;1.
  2. Information is lost in circumstances where unauthorised access or disclosure is likely to occur; or,
  3. A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.

The Commissioner has provided the following examples of eligible data breaches:

  • Theft of a device that contains a customer's personal information;
  • Hacking of a database that contains a customer's personal information; and,
  • Where a customer's personal information is mistakenly disclosed to the wrong person.

A real world example of this can be seen in Uber's current data breach saga where it is alleged that data belonging to 57 million users was hacked. Instead of addressing the hack, the company paid the hackers $132,000 to delete the information. Had the pending legislation been effective at the time of the breach, Uber most likely would have faced serious penalties for not disclosing the breach.

What does serious harm mean?

When considering what amounts to "serious harm," the Commissioner has suggested that organisations make an assessment based on the kind of information that was accessed, the degree of sensitivity attaching to said information, and what the nature of the harm is likely to be to the individual whose personal information was accessed. The Commissioner has advised that factors including physical, psychological, emotional, economic and financial harm, as well as harm to an individual's reputation, should be considered when making this assessment.

When and how must a notification be prepared?

An organisation has 30 days in which to conduct an assessment to determine if the breach is eligible and to comply with the notice obligations (if required).

The legislation provides that where an "eligible data breach" of personal information has occurred, the organisation must prepare a notification that includes the following details:

  1. The contact details of the organisation;
  2. A description of the eligible data breach that the organisation believes has occurred;
  3. The kinds of information that is subjected to the breach; and,
  4. Recommended steps that affected individuals should take in response to the breach.

The notification containing the relevant material must be forwarded to the Commissioner as soon as reasonably practicable after the organisation becomes aware of the breach. You must also, where possible, notify the individuals at risk from the breach. If it isn't practicable to do so, the organisation must take reasonable steps to otherwise publicise the notice.

There are some exceptions that can apply under the regime, such as when an organisation that has experienced a data breach takes remedial action after the breach occurs in order to ensure that affected individuals don't suffer any serious harm. Whether this is possible will obviously depend on the circumstances relating to the breach, but organisations should keep this in mind as part of their response.

It's also important to note that failure to comply with the notification regime can potentially result in fines of up to $1.8 million. Accordingly, organisations need to be on alert and well prepared to deal with a breach in their data.

What should you do before 22 February, 2018?

  1. Familiarise yourself with the legislation - The legislation provides extensive processes as to what should be done if an eligible data breach occurs.
  2. Review your IT contracts - If you're using a third party to hold your data you should make sure that they're obliged to notify you of any data breach as it occurs and that they cooperate with you in investigating the breach.
  3. Create an internal response plan - The legislation requires organisations to prepare a notification to the Commissioner as soon as practicable after becoming aware of the eligible data breach having occurred so ensure you have a process in place to assess and respond when a breach occurs.
  4. Consider which of your clients may collect personal information - As a trusted advisor to your clients, you should ensure they are adequately informed in relation to the new privacy laws and how this may affect their business.
  5. Increase security measures/ensure they are up-to-date - Technology is constantly evolving so the ways in which your sensitive information can be leaked or disclosed are also constantly evolving. We suggest using reputable software to protect such data and undertake upgrades where possible.

Why is this so important for Accountants I hear you ask? Well, just think of all the client information that you store as part of any financial and tax records - information which, if accessed by an unauthorised third party could result in occurrences of identity theft, or "serious harm."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.