For businesses in Australia, the potential reputational and financial risks associated with cyber security and data breach incidents are serious and very real. Regulators are closely monitoring data protection and privacy law compliance on a global basis, and so are tech-savvy customers. Cyber security is no longer just an IT issue, but must be proactively managed by organisations and their boards across all aspects of a business’ operations.
A complex and international legal jigsaw
Notifiable Data Breach Scheme
In February 2018 the mandatory data breach notification regime was introduced in Australia as part of the Privacy Act 1988 (Cth), making businesses publicly accountable for ‘eligible data breaches’ where the access, disclosure or loss is likely to result in ‘serious harm’ to the relevant individuals. Keep in mind that these mandatory notifications have effectively provided the regulator with a window into a business’ privacy compliance program, or lack thereof. Accordingly, we strongly recommend businesses consider getting legal advice both about:
- whether the breach is an eligible data breach such that notification is actually required,
- and if so, the content of the notification to the regulator and any early remedial steps that should be taken simultaneously with the regulator’s investigations to prevent reoccurrence.
GDPR
The EU General Data Protection Regulation (
GDPR) also commenced in May 2018, with international reach that affects many Australian businesses, particularly in the digital or online marketplace. The GDPR will apply to Australian businesses that:
- are established or have an office in the EU;
- offer goods or services to individuals located in the EU (including via the internet);
- export or process any personal data from the European Economic Area; or
- monitor the behaviour of individuals in the EU.
Businesses that do not comply with the GDPR can face hefty fines of up to the equivalent of €20million or 4% of annual worldwide turnover, whichever is higher. Accordingly, it’s worth checking to see if the GDPR applies to your business.
OAIC: A stronger and more resourced regulator
It is clear from the statistics of reported data and privacy breaches and tough statements issued from the Office of the Australian Information Commission (
OAIC) to date, that we can expect cyber security, data protection and privacy law compliance to continue to be closely watched by regulators globally as they test both the new Australian data breach regime and the reach of the GDPR. Increased funding to the tune of $25million over three years has also been announced to give the OAIC additional tools to pursue a more active enforcement approach. Also pending is proposed increases to the maximum penalties under the Australian Privacy Act for serious or repeated breaches to the higher of:
- $10 million for serious or repeated breaches (up from $2.1 million); or
- three times the value of any benefit obtained through the breach and misuse of personal information; or
- 10% of the entity's annual domestic turnover.
This, combined with proposed new infringement notice powers and penalties of up to $63,000 for companies or $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches, would bring the Privacy Act into line with other Australian consumer legislation, as well as heading closer toward the stricter requirements and tougher penalties available under the GDPR.
The Statistics: A real business problem
In the meantime, the statistics clearly show the reality of the cyber security and data breach threat. In just the first year of the notifiable data breach scheme:
- there were 964 eligible data breach notifications
- 60% were malicious or criminal attacks, and
- more than a third of breaches were attributed to human error (e.g. sending emails to the wrong recipient).
The percentages were even higher in the health and finance sectors which reported the most breaches and where human error was the leading cause. This clearly underlines the importance of training staff on privacy obligations and procedures, given they are on the front line of protecting an organisation from breach.
Top five legal tips for a cyber resilient business
With an increasingly online business marketplace and savvy consumers that expect businesses to respect their privacy, it is critical for businesses and boards to get across the complexities of Australian and international data privacy laws and implement practical, organisation wide compliance programs that are led by a cyber conscious board strategy. At a minimum, to minimise cyber and data breach risks we recommend businesses and their boards:
1. Cyber and data privacy compliance audit
Ensure your business is across the relevant regulatory requirements that may apply to your business. This means everything from up to date privacy policies that are tailored to your business and include relevant permitted uses and consents as your business services evolve, collection notices, cookie policies, consideration of whether the GDPR applies to you, privacy by design across your whole organisation, training your staff who are on the frontline actually dealing with personal data and sensitive information and must be across what they should and shouldn’t be doing. Your compliance strategy should take into account your organisation’s specific, bespoke data lifecycle (including across group companies and business units), from data collection and relevant types of information, permitted uses, disclosure, storage, de-identification, destruction and more.
2. Cyber security review
Undertake a review of your cyber security position to reduce risks of breach and ensure that cyber security is on your board’s agenda, with appropriate policies, training and strategies implemented. Cyber security is a critical part of your legal privacy obligations, and combined with a comprehensive privacy by design approach to organisational structure, data flows and IT systems, can significantly reduce the likelihood of data breaches and the subsequent public damage to your brand and customer’s trust. Not sure where to start? Check out the Australian Cyber Security Centre’s Essential Eight or the National Institute of Standards and Technology Cyber Resilience Framework.
3. Data breach response plan
Be ready to deal with mandatory data breach notification obligations swiftly and effectively by putting in place a Data Breach Response Plan. Between human error, malicious cyber attacks and phishing incidents, the reality is all businesses are at risk. Having an effective plan in place that corresponds to the legal considerations can better protect your business, catch breaches early, prevent unnecessary harm to your customers and where breaches are effectively contained, even avoid having to report the breach where no serious harm or eligible data breach occurs.
4. Overseas disclosure
Businesses should make sure they know where their data is at all stages of the data life cycle, which often means asking IT service providers (both in house and external contractors) where your business’ data is going. Overseas disclosures or transfer of data, particularly via IT service providers, data centres and cloud storage or hosting services is more common than you think. Businesses in Australia remain accountable for any breaches of the Australian Privacy Principles (APPs) by overseas third party providers so you should ensure any IT service agreements impose appropriate compliance obligations that align with the APPs and the GDPR (as appropriate), including obligations to assist you with investigations and mandatory reporting in the event of a data breach.
5. Data retention and destruction policies
Given how relatively cheap cloud based data storage is these days, combined with the value of customer data to businesses, there is an increased risk where businesses are simply keeping data and electronic records indefinitely and certainly much longer than they may be permitted to under their privacy policy and applicable laws.
Under the APPs, there is a specific obligation on businesses to take reasonable steps to destroy or de-identify personal information once it is no longer needed for any permitted purpose unless required by law to retain the information for a certain period (or another lawful reason). The OAIC recently reminded all organisations following a bank’s data breach that organisations should proactively manage their data holdings and:
“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date… data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed… "
Failing to do so can increase the risk that personal information will be compromised. Organisations are responsible for enforcing data retention obligations when outsourcing to contracted service providers.
Cyber security and data privacy - a Board issue
Given the seriousness of the risk and potential for damage to a business’ reputation, cyber security and data privacy compliance must be prioritised and firmly placed on the Board agenda. Boards must ensure a cyber security and data protection strategy and compliance program are developed to manage the organisation’s risks at a level relevant to the size of the business. Some key questions for Boards to consider include:
- Does the organisation perform regular cyber security and data privacy compliance monitoring and audits? Does our audit committee cover this or is a specialist subcommittee or outsourced expertise required?
- Do we have a formal policy and procedure in place for cyber security and data breach incidents?
- When was the last time our privacy policies were updated? Do they reflect our evolving business structure, services, practices and uses of data? Have we considered the GDPR and its impact on any online or international aspects of the business?
- Do we provide regular training to our staff and management on cyber security and data privacy obligations? Have we ever tested our staff or run a hypothetical “breach” scenario (such as a fake phishing email) to identify any need for additional training? Given the likelihood of human error being involved, how do we encourage staff to report breaches?
- Do we have cyber security insurance under our business insurance policy?
It is critical for businesses and boards to understand cyber security risks and have in place compliant privacy and data breach policies and practices, including trained staff. This must be led by the board of directors, and driven by managers who recognise the growing complexity of business’ digital operations and the importance of implementing an effective, multi-faceted cyber and data privacy strategy across the organisation to reduce emerging cyber risks.