What is a notifiable data breach?
In today’s digitally connected world, cyber security is more critical than ever. One vital aspect of cyber security that has garnered attention in Australia is the Notifiable Data Breach (NDB) scheme. Under the Privacy Act 1988, certain Australian agencies and organisations are required to notify affected individuals and the Australian Information Commissioner if a data breach likely to result in serious harm occurs. This provision aims to bolster cyber security by ensuring individuals are informed and can take protective measures, such as changing passwords or monitoring financial accounts. In this blog, we’ll delve into the nuances of the NDB scheme and explore its vital role in strengthening the cyber security landscape in Australia.
Table of Contents
What does the Australian Government classify as a data breach?
A data breach, as defined under the Notifiable Data Breach (NDB) scheme in Australia, occurs when unauthorised access to or disclosure of personal information is made, or when there is a loss of personal information that an entity holds. A breach becomes eligible for notification if it is likely to result in serious harm to the individuals affected, considering factors like the sensitivity of the information, the nature of the harm, the kind of information, and the security measures in place. Serious harm can encompass a broad range of consequences, including physical, psychological, emotional, financial, or reputational harm, and not all data breaches require notification, such as when quick remediation prevents the likelihood of serious harm. Examples include:
- Unauthorised Access by an Employee: An employee of a financial institution browses sensitive customer records without any legitimate purpose, gaining unauthorised access to information like account numbers and personal details. This can lead to serious financial harm to the individuals whose information was accessed.
- Accidental Disclosure Online: An employee of a healthcare provider accidentally publishes a confidential file containing the medical records of patients on the internet. This unauthorised disclosure may expose sensitive health information, leading to potential emotional or reputational harm for those involved.
- Loss of Physical Information: An individual working for a corporation leaves a laptop containing unsecured personal information, such as client contact details and contracts, on public transport. If the information is not encrypted or otherwise protected, and it falls into the wrong hands, it could lead to unauthorised access or disclosure, potentially resulting in financial or reputational damage to the clients whose information was lost. If the information is remotely deleted or encrypted to a high standard, making unauthorised access unlikely, then it may not qualify as an eligible data breach under the NDB scheme.
Does my business need to legally report a data breach?
Jam Cyber highly recommends business owners seek legal
advice to determine their full obligations in the event of a cyber attack.
Under the Notifiable Data Breaches (NDB) scheme, various
Australian entities must report eligible data breaches. These entities include:
- Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than AU$3 million
- Private sector health service providers
- Credit reporting bodies
- Credit providers
- Entities that trade in personal information
- Tax file number (TFN) recipients
- Accredited data recipients and designated gateways under the CDR system
Small business operators generally don’t have legal obligations unless they meet specific criteria, such as holding health information or trading in personal information. Certain activities can also require smaller businesses to be compliance with the NDB scheme.
Entities with Privacy Act security obligations only must notify breaches affecting the information within their obligations’ scope. APP entities, including businesses over $3 million turnover, and specific smaller businesses, are also subject.
Credit providers, credit reporting bodies, and TFN recipients are also obliged under the scheme. Some private sector employers are exempt, but it’s advised to notify affected individuals if a breach is likely to result in serious harm. Further details and exemptions can be found in Australian Privacy Principles and legal documents governing specific cases.
Even if your business is not legally required to notify of a data breach, you should consider ethical requirements and how the breach may impact your customers or employees.
My business is an ‘eligible entity’ what do I need to do?
It is now vital for all Australian businesses to protect themselves against cyber attacks. This requirement is heightened for entities which have legal obligations under the NDB Act. The best way to protect your business is by implementing a cyber security framework.
A robust defence against cyber attacks necessitates more than just technology; it requires comprehensive policies, procedures, employee training, and a cohesive cyber security framework. These elements work together to create an informed and vigilant environment where potential threats are understood and properly managed, strengthening the overall resilience of the system.
Should your business experience an attack, and you are eligible under the NDB scheme, you will be required to notify the individuals at risk of serious harm as well as the Commissioner. The notification to the Commissioner must include a statement with details of the breach such as identity and contact details of the notifying entity, description of the data breach, the kind of information concerned, and recommendations for individuals to minimise the impact. Voluntary additional information can be provided to the Commissioner to further explain the circumstances of the breach.
Notifying the Commissioner
Businesses can notify the Commissioner online. Go to: https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach and follow the instructions.
When notifying individuals about an eligible data breach, entities have three options depending on what’s practicable:
- Option 1 — Notify all individuals: If practicable, notify all individuals whose information was part of the breach, even if not all are at risk of serious harm.
- Option 2 — Notify only those individuals at risk of serious harm: Notify only those specifically at risk of serious harm, avoiding unnecessary distress to others.
- Option 3 — Publish notification: If neither option 1 nor 2 is practicable, publish the statement on the entity’s website and take reasonable steps to publicise the content, ensuring it’s available for at least 6 months.
Entities must decide which option to follow as soon as practicable after forming the belief that there has been a data breach, and must consider factors like cost, time, effort, and the likelihood of serious harm. The notification must include specific details about the breach and recommendations for individuals to respond.
How do I write a data breach notification?
The Jam Cyber Security Framework provides specialised tools for organisations, including a specific template for notifiable data breaches. This template is designed to assist in the clear and compliant notification process, ensuring that both individuals at risk and relevant authorities are informed according to the act’s requirements.
Alternatively, organisations can review the information on the Australian Government website here: Data breach preparation and response | OAIC