New data breach laws are now in effect which apply to businesses that earn at least $3 million per year as well as any businesses that deal with “personal information” (e.g. dates of birth, bank account numbers, tax file numbers, driver’s licenses) – i.e. accountants.
Eligible data breach
The term used in the legislation is “eligible data breach”.
An eligible data breach occurs when:-
- There is unauthorised access to, or disclosure of information and a reasonable person would conclude that the access or disclosure would result in serious harm to the individuals to whom the information relates; or
- The information is lost in circumstances where unauthorised access to or unauthorised disclosure of information is likely to occur and would result in serious harm
Examples of eligible data breaches
Examples of eligible data breaches include a hacking into the computer system of a business in the general sense as well as if an employee losses his/her phone which held work emails or data and was unable to recover the phone.
That is, if you lost your phone on the bus and was able to recover it from between the seats without it seemingly being touched – you might reasonably conclude that there has been no data breach.
However, if you were not able to recover you phone at all then it would be reasonable to conclude that a data breach has occurred.
Serious harm
Businesses only have a reporting obligation if the eligible data breach will result in “serious harm”.
It is a matter for a business to decide whether “serious harm” is imminent but some guidance for businesses includes:-
Serious physical, emotional, economic and financial harm as well as serious harm to reputation and other forms of serious harm that a reasonable person would identify as a possible outcome of the data breach
What businesses have to do
If a business has reasonable grounds to believe there has been an “eligible data breach” (and such breach will result in “serious harm”) then they have an obligation to report it to the Australian Information Commissioner and the individuals affected and mitigate the breach as soon as practicable.
The Commissioner’s website: https://www.oaic.gov.au has helpful information on the reporting process and standard forms to be submitted.
The purpose
The purpose of these new laws is to protect personal information businesses hold from misuse, interference and loss from unauthorised access, modification or disclosure.
The impact of data breach – real case example
Uber was in the process of being sold. As part of the buyers’ due diligence process it was uncovered that Uber had covered up a massive hack of 57 million users’ data, which included names, email addresses, mobile numbers and driver licence numbers.
At the time of the due diligence investigations the value of Uber was reportedly $68 billion.
As a result of the “massive hack” (as well as other factors) the value of Uber reduced to $48 billion.
Uber failed to comply with international reporting obligations, various staff were fired and a class action was brought for negligence.
Further information
The information set out above is general in nature and if you have any specific questions we ask that you contact us to discuss.