If your business collects personal information from its customers, it is vital that you prevent the information being disclosed to or accessed by people outside your business (or misused by people in your business). Such disclosure, access or misuse can result in serious harm to your customers, ranging from stress and anxiety to identity theft.
The increasing incidence of hacking of business information systems makes it more likely than ever that unauthorised people will access the personal information that your business holds. So, what should you do if you discover that the information has fallen into the wrong hands?
First some background:
What is personal information?
Personal information includes:
• Identifying information, such as name, date of birth, address, email address and telephone number;
• Financial information, such as credit card details and bank details; and
• Sensitive information, such as medical and health information, ethnicity, etc.
What is a data breach?
A data breach occurs when personal information that your business holds is accessed by or disclosed to an unauthorised person or is lost. Examples of data breaches include:
• Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information;
• Unauthorised access to personal information by an employee or a hacker;
• Inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person; and
• Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
What are your legal obligations?
If your business turnover is more than $3 million annually, then your business is required to comply with the 13 Australian Privacy Principles under the Privacy Act 1988, concerning collection, protection and eventual deletion or destruction of your customers’ personal information.
In addition, if a data breach occurs and there is a resulting risk of serious harm, it is an ‘eligible data breach’ and your business is required to notify the breach to the Office of the Australian Information Commissioner (OAIC).
Even if your business turnover is less than $3 million per annum, it makes good business sense to comply with the Privacy Act, because of the potential harm to your customers and damage to your business’ reputation that would result from a data breach.
What is serious harm?
Serious harm may include harm to an individual’s physical or mental well-being, financial loss, or damage to their reputation. Examples of harm include:
• Financial fraud, including unauthorised credit card transactions or credit fraud;
• Identity theft causing financial loss or emotional and psychological harm;
• Family violence; and
• Physical harm or intimidation.
Responding to data breaches — 4 key steps
Generally, the actions taken following a data breach should follow four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify affected individuals and the OAIC if required.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
The importance of having a Data Breach Response Plan
When a data breach is discovered, it is vital to act quickly to complete Steps 1 – 3 as soon as possible. That is why your business needs a clearly defined plan of action, which ensures that all your business’ personnel know what they have to do.
Amongst other things, the plan should start by defining the roles and responsibilities of each person and reporting lines, so that there is no delay in implementing the plan. Key roles may include:
• A team leader and/or project manager;
• Your business’ privacy officer;
• Legal support;
• Risk management support;
• Information and Communication Technology (ICT) support/forensics support;
• Information and records management expertise;
• Human resources (HR) support;
• Media/communications expertise; and
• An insurance intermediary.
Testing the plan
To ensure that your business’ Data Breach Response Plan will operate smoothly and effectively in practice, it is vital to test it with hypothetical examples of data breaches. This will familiarise your personnel with the plan and what they have to do (and may reveal unforeseen issues that need to be addressed either in the plan or more generally in your business’ systems or processes).
Atkinson Vinden can help you prepare a Data Breach Response Plan
There are many more aspects of law and practice that are relevant to preparation of a Data Breach Response Plan than are mentioned in this brief summary. Atkinson Vinden can assist your business to prepare a plan that complies with all necessary requirements. Call one of our commercial lawyers today for an initial consultation on your business’ specific situation.