Notifiable Data Breach legislation – What you need to know

Many small businesses still do not understand, or pay attention to, the Notifiable Data Breach scheme introduced by the government in 2018. This is a summary of the scheme and why it matters to you.

Firstly, what is a “data breach”?

A data breach is when data, or information, could have been accessed by someone that is not supposed to have access. Some examples of data breaches are:

Clearly breaches can be accidental, malicious, or anything in between but they do happen all the time.

Why did the government decide to change the legislation?

We are in the information age. People you deal with are actively collecting and storing information about you. Big companies like Facebook and Google collect information, and even retail stores ask you to share information in return for joining their loyalty program. Every business has data about customers, partners, suppliers and employees.
Hacking and stealing this data is big business, to the extent that cyber crime is now the largest form of organised crime in the world.
Prior to the introduction of the NDB scheme, in many cases if an organisation that held your information had a data breach they did not need to tell anyone about it. Your information could be being used against you, for identity theft for example, and you would not know. With no accountability, the holder of the data does not have much incentive to improve their systems.

What is the NDB Scheme?

The NDB Scheme is legislation that is part of the Privacy Act. It makes organisations more accountable for the data they hold. Organisations are required to take steps to protect data and are also required to notify the government and other impacted parties if they have an notifiable data breach. The NDB Scheme also provides penalties for non compliance.

Which organisations are covered by the NDB Scheme?

Broadly, any organisation turning over more than $3 million must comply. There are also some sectors such as health services or credit providers that must comply.

How would I know if I have been breached?

If you have any reason to suspect a breach you must perform a “reasonable and expeditious” assessment to confirm or discount the breach, and identify what information has been breached. There is an expectation that organisations will have reasonable practices, procedures and systems in place to protect data and allow for prompt assessment of any suspect activity.

Do I need to report every breach?

Organisations only need to report “notifiable” data breaches. Typically these are serious breaches that may cause harm to the people whose data has been breached. If confidential information, or personally identifiable information such as names, addresses, credit card info, tax file numbers, financial details, etc, are leaked this could be considered a notifiable breach.
Other less serious breaches do not need to be notified.

Who decides what breaches are notifiable?

Ultimately the responsibility to decide whether a “reasonable person” would think that a breach would result in serious harm lies with the breached business, however the OAIC has some guidelines.
We suggest that at a minimum, you need to have a few things in place to be able to make this determination. You need to:

What happens if I don’t report a breach?

The penalties for not complying with the NDB are specified in the Privacy Act. Currently, the act allows for monetary penalties of up to $1.8 million for organisations and $360,000 for individuals. In addition to penalties, the Commissioner may investigate non compliance and require the organisation to pay compensation to affected parties.
If organisations do not have appropriate systems and procedures protections in place, this may be viewed as a breach of the directors’ duty of care and therefore company directors may also personally face penalties.

Who can assist with this?

The Office of the Australian Information Commissioner publishes significant amounts of information on these topics at https://oaic.gov.au.
Ultimately, we suggest discussing this with an appropriate legal advisor to ensure you are aware of your obligations. We can, of course, assist with helping you to define and improve your cyber security posture.

In Summary

Businesses are now more accountable for protecting data that they store. At a minimum, you should be aware of how your business is protecting it’s data, how you would detect a breach when one occurs, how you would determine the extent of the breach, and what steps you would take to mitigate and notify as required.