Which small businesses have mandatory data breach reporting obligations? + 1st Quarter statistics

Another topic I have written a lot on is the Federal Government’s mandatory reporting regime.

I have been asked many times to explain the obligations on small business and so I outline them below. After that I provide some stats at a high level on the first quarter reporting.

From 22 February 2018, the Notifiable Data Breaches scheme (“NDB scheme”) requires a wide range of organisations to report data breaches that are ‘likely to result in serious harm’ to the individuals whose personal information is affected by the breach. They will also be required to notify the Office of the Australian Information Commissioner (“OAIC”).

The NDB scheme applies to organisations that already have obligations to secure personal information under the Privacy Act 1988 (Privacy Act). Generally, this does not include small businesses that have a turnover of $3 million a year or less.

However, there are a few exceptions. Organisations that fall under the following categories will have mandatory data breach reporting requirements, regardless of their size:

  • Health service providers (including, for example, private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, gyms and weight loss clinics, childcare centres, and private schools);
  • Organisations that trade in personal information;
  • Credit reporting bodies;
  • Employee associations registered under the Fair Work (Registered Organisations) Act 2009;
  • Organisations that opt-in to being covered by the Australian Privacy Principles under section 6EA of the Privacy Act.

The NDB scheme will also apply to small businesses in these categories that are based overseas if they have an ‘Australian link’.

[ Note An Australian Link generally extends to the overseas activities of an Australian Government agency (s 5B(1)). It also applies to organisations (including small businesses covered by the Act, outlined above) that have an ‘Australian link’ (s 5B(2)). An organisation has an Australian link either because it is, in summary, incorporated or formed in Australia (see s 5B(1A) for more detail), or where:

  • it carries on business in Australia or an external Territory, and
  • it collected or held personal information in Australia or an external Australian Territory, either before or at the time of the act or practice (s 5B(3)).

Further information about entities that are taken to have an Australian link is available in Chapter B of the APP Guidelines.]

Tax File Number (“TFN”) recipients (which is any person in possession or control of a record with TFN information) will also need to comply with the NDB scheme in relation to their handling of TFN information. This means that if TFN information is involved in a data breach, a TFN recipient will be obligated to meet the requirements of the NDB scheme.

Organisations that are not covered by the NDB scheme are encouraged to use the information on notifying individuals under the scheme to create or review their data breach response plans.

Being transparent when a data breach occurs is central to meeting community and consumer expectations. 94% of Australians believe they should be told when a business loses their personal information. Informing individuals about a data breach is one step that organisations can take to demonstrate that they take their responsibility to protect personal information seriously.

And as a practical measure, notifying individuals at risk of harm can provide them with the opportunity to reduce their chances of experiencing harm. For example, individuals can resecure compromised online accounts. This can reduce the potential impact of a data breach overall.

As always, I recommend every business and or organisation to review or develop a business continuity management plan and obtain, and or review their, Cyber Insurance and to discuss the many and varied options available with their insurance broker.

Now to the Ist Quarter reporting stats:

Key statistics from the first quarterly report include:

  • Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
  • 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
  • 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
  • 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

The key point for me here is that just over half were through human error. No matter what systems we have in place, it is people risk that is our greatest risk in so many areas of our organisations and cyber security is no different!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*