Publication
Keeping your dawn raid guidance current
Unannounced inspections or ‘dawn raids’ are used by antitrust authorities to obtain evidence when there are suspicions that individuals or businesses have infringed the antitrust rules.
With the global media spotlight on privacy and data breaches, and reputational damage to companies such as Facebook, it has never been more important to protect your customers’ data. An increasingly complex web of national and international laws governs the treatment of data in Australia and around the world. With its unmatched global network, Norton Rose Fulbright is ideally placed to advise on:
Early planning is critical to protecting your organisation and complying with regulation, and preparing to effectively respond to a cyber incident in the case of a breach. We provide an end-to-end service offering which covers both the advisory and contentious stages of the data breach lifecycle including:
breach protection service | |
---|---|
We protect by advising organisations on their data security and privacy obligations and potential cyber security risk exposures. This includes conducting digital risk audits, and advising on incident response readiness, cross-border data flows, IT vendor risks and regulatory risks. | |
We respond through acting as 'breach coach' during an incident, advising on the legal issues (primarily, risk of harm, notification requirements), while also managing stakeholder interests and mitigating potential future loss. Our Respond Service includes managing claims for our insurer clients and their insureds in both coverage and response (or defense) capacities. | |
We recover through assisting our clients respond to further regulatory investigations, respond to any media coverage, defend third party claims and pursue recovery actions. Our end-to-end capabilities mean we are best placed to understand how the breach, investigation, response, remediation and notification aspects will impact on potential litigation. |
Having acted on the three largest data breaches in Australia, our team’s unrivalled experience is highly valued by our clients.
The new mandatory data breach notification laws came into effect in Australia on 22 February 2018 and affect all Australian businesses with an annual turnover over AU $3 million. Eligible data breaches must be reported, including those in your supply chain. Find out how the new Australian data privacy regulation will impact your business here. Or ask Parker, our data privacy chatbot, for more information!
Use of the chatbot is subject to disclaimer.
What are the consequences of non compliance?
Breaking your customers’ trust can have significant consequences to an organisation’s bottom line and any potential breach must be quickly identified and managed. Penalties for non compliance are up to AU$420,000 for an individual and AU$2.1 million for an organisation.
Australian privacy compliance packages
Managing privacy compliance is a step-by-step process. Norton Rose Fulbright privacy experts have put together affordable, fit-for-purpose packages to help protect your organisation. Find out more about our privacy compliance packages.
The European Union’s new General Data Protection Regulation (GDPR) is a comprehensive framework (effective from 25 May 2018) that will have implications on any organisation that holds data on EU citizens, regardless of whether the business operates in the EU. The new laws set out new and detailed privacy requirements including rules on data governance and accountability, obligations to undertake privacy impact assessments, and record keeping requirements for personal data processing. New data breach notification requirements include a 72-hour deadline.
What are the consequences of non compliance?
Severe fines could be imposed for companies in breach of the GDPR – up to 4 percent of annual worldwide turnover or €20 million, whichever is greater.
As ‘breach coach’ we work with you to provide a streamlined incident response service across a range of incident types, including data breach and network interruption.
We coordinate the entire response by assessing the size and nature of the incident, taking steps to contain it, coordinating our panel of carefully selected third party vendors, all the while managing stakeholders’ interests and mitigating potential loss. This includes advising the Board on continuous disclosure obligations.
Our early involvement and establishment of legal professional privilege protects you to the maximum extent possible as far as sensitive communications are concerned. The protection of legal professional privilege is critical in any response, this is why our ‘breach coach’ process is so effective. It is an engagement model perfected by our US colleagues who have been dealing with mandatory breach notification for over a decade.
We provide a hotline for incident responses – please contact us for further information on this service.
1. |
Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase. |
2. |
Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner. |
3. |
Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate. |
4. |
Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification. |
5. |
Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification. |
Publication
Unannounced inspections or ‘dawn raids’ are used by antitrust authorities to obtain evidence when there are suspicions that individuals or businesses have infringed the antitrust rules.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023