The Optus data breach is top of mind for a lot of Australians, particularly those whose data has been unwittingly shared.

For businesses, the recent breach is a timely warning on the importance of understanding your obligations to maintain data private.

You need to know what customer data you hold, whether you should be storing that data, how it is secured, how your systems work and the process to identify gaps and deficiencies.

You also need to have a good understanding of the appropriate actions to take if a breach occurs. This is not something that can be outsourced to IT but a whole of business issue.

The obligations on business

A data breach is when personal information is accessed or disclosed without authorisation or is lost. A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks.

Personal information is information about an identified individual, or information that when combined results in an individual becoming reasonably identifiable.

We all know that no system is 100% secure. Malicious or criminal attacks represent 55% of all reported data breaches, human error is responsible for 41% and 4% through system faults. Where human error was involved, 43% was where personal information was emailed to the wrong recipient.

Human error can also relate to business technology such as laptops, mobile phones or even USB sticks being lost or stolen while containing private data. Ensuring your technology systems are up to scratch is just one way to minimize the risk of a data breach.

For example, if an employee inadvertently leaves their business laptop on public transport, that laptop has access to business systems that contain private data. Your employee has an obligation to notify the organization of the loss and the potential for a privacy breach. In cases like this, your IT specialist may be able to remove access to systems quickly or wipe the device remotely in order to minimize the risk of a data breach before it happens.

All Australian Government Agencies and any organisation with an annual turnover of $3million or greater has responsibilities under the Privacy Act 1988. Organisations with a turnover under $3million may also be subject to the Privacy Act if they are:

• A private sector health provider, including medical practitioners, pharmacies and allied health practitioners
• Gyms and weight loss clinics
• A credit reporting body, which is an organization involved in handling personal information about an individuals credit worthiness.
• A service provider contracted to an Australian Government Agency
• An employee association that is registered or recognized under the Fair Work (Registered Organisations) Act 2009.
• Child care centres, private schools and private tertiary education centres
• An accredited business under the Consumer Data Right system
• Or any business that has opted-in to the Privacy Act

Notification requirements

The Privacy Act requires organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of certain data breaches under the Notifiable Data Breaches (NDB) scheme. The criteria for a data breach to be notifiable under the NDB scheme are:.

• There was an unauthorised access or disclosure of personal information held by the organisation. This also applies if it is likely that authorised access or disclosure is likely to occur, for example in the case above of technology lost on public transport.
• The data breach is likely to result in serious harm to any of the affected individuals
• The organisation has been unable to prevent the likely risk of serious harm with remedial action.

If you’re not sure if your data breach meets the above criteria you should undertake an assessment to determine if notification is required. The notification must be as soon as practicable but is expected to be no later than 30 days.

By notifying affected individuals you are providing them with the opportunity to take steps to reduce their risk of harm. Affected individuals can be harmed either physically, mentally, through financial loss, or damange to their reputation.

As a result of the recent data breaches by Optus, Medibank and others, the OAIC has increased the penalty for serious or repeated breaches of privacy laws from $2.2 million to the higher of $50million or three times the cost of damage caused by the misused information, or 30% of the company’s adjusted turnover in the relevant period. This could mean that organisations could be fined in the hundreds of millions of dollars.

Penalties are likely to be applied to organisations that have failed to take reasonable steps to protect personal data. It is also likely that there will soon be significant changes in the notification requirements to ensure that companies properly report what information has been stolen or lost.

How to protect your business against data breaches

If you haven’t already, now is the time to protect your business against the risk of a serious data breach. Below are some steps you can take to minimize the risks:

• Understand your Privacy Act obligations. The Privacy Act specifies 13 Australian Privacy Principles (APPs) that set the businesses obligations for managing personal information. Specific industries and businesses that hold specific types of data often have advanced requirements. Compliance with the APPs as a whole will reduce the risk of a data breach happening to your business.
• Review the personal information held on customers. Is their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?
• Ensure your systems have the highest level of security applied, for example, by opting in to multifactor authentication.
• Understanding your systems and how they work together to prevent security gaps or ‘backdoor’ systems access.
• Review and where appropriate update your processes and documentation.
• Arrange training for your staff to help improve awareness of their obligations to comply with your organisations’ policies, processes and requirements under the Privacy Act. Staff should be reminded of how to identify, manage and access personal information, as well as understanding cyber threats and how to prevent them - phishing, fraudulent messages etc.

For assistance with reviewing your systems, policies and processes or advice on understanding how the Privacy Act applies to your business, contact our experienced business advisors today.