Something as simple as inadvertently sending a customer’s personal information to another person could cost your company dearly – lost earnings, lost customers, lost business partners, damage to reputation and increased compliance costs.
If your company is governed by the Privacy Act 1988 (Cth), is a credit provider, deals with personal or health information or collects/holds Tax File Numbers then you need to know about the Notifiable Data Breaches regime and how you can minimise your company’s risk profile and avoid reputational damage.
What’s the Notifiable Data Breaches regime all about?
In February 2018, Australia introduced an obligation on companies to notify customers and the Privacy Commissioner of actual or suspected data breaches.
It’s not all data breaches that need to be reported, but rather those data breaches that will likely result in “serious harm” to the individual which the information relates to. These are called “eligible data breaches”. Of course, there are exceptions (aren’t there always?) and whether these will apply will depend on the particular circumstances of the data breach.
What’s “serious harm”?
Whether or not there is “serious harm” will depend on a few factors, some of which include the kind or sensitivity of the information disclosed and your company’s security measures. You will need to assess the information objectively and from the perspective of a reasonable person in the circumstances.
For example, if a document was disclosed that included a customer’s contact details, including name, address, mobile number and email address, the disclosure of that information could potentially cause the individual serious harm, such as financial, reputational, physical, psychological or emotional harm. However, if you act quickly, there is a chance you can prevent the data breach from straying into “serious harm” territory. The key is to ensure you take care in your assessment and keep proper records (i.e. board reports, insurance, Privacy Commissioner investigations, internal compliance and reporting).
Aren’t most data breaches from external hackers?
Contrary to popular belief, human error and internal intrusions make up a significant portion of the data breaches companies suffer each day.
Human error, for example, can occur when a document containing one individual’s information is sent to someone else by accident.
Internal intrusions can be as innocuous as an individual stumbling into a file they shouldn’t be looking at, to more serious intrusions including actively collecting information for financial gain.
What’s the risk to my company if I don’t report eligible data breaches?
The Privacy Commissioner has a number of enforcement powers. If your company is investigated and found to be in breach of the legislation, the risks range from less serious action such as enforceable undertakings, to more serious actions including injunctions and civil penalties (i.e. including for serious or repeated interferences with privacy).
To find out how you can minimise compliance and reputational risk, see Part 2 of our blog post here.
Michael Owens, Partner
Kelly Marshall, Director