Privacy compliance will become significantly more important for all companies in Australia now that the government enacted its mandatory data breach notification regime. This means if you have compromised someone’s personal information, you now have to tell them. Before the legislation, you did not have to inform affected people. Given the dramatic rise in data breaches from hacking or poor systems/processes, companies will need to be significantly more vigilant about their data management and breach reporting practices. We have fixed price compliance packages which can help – see below for more information.
The new obligations
In a relatively swift conclusion to a long-running saga, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) passed through the Senate on 13 February 2017. The Bill introduces a requirement for private sector organisations that suffer a sufficiently serious data breach to notify affected individuals and the Privacy Commissioner of the occurrence of that breach.
In line with the general provisions of the Privacy Act 1988 (Cth), the mandatory data breach obligations will apply to all organisations with an annual turnover of A$3,000,000 or more. As discussed in our previous legal update, the Bill will mean that these organisations will need to be prepared to respond to a data breach, including to assess whether an eligible data breach has occurred and to promptly comply with their notification obligations if necessary.
What do I have to do and when?
The next step is for the Bill to receive Royal Assent from the Governor-General. The date that the Bill receives Royal Assent is important, as amendments set out in the Bill will come into effect 12 months after the date of Royal Assent. The giving of Royal Assent is typically a formality, so we expect that this will occur in the near future. This means the clock has begun ticking for organisations to start preparing to comply with these obligations and commence the process of putting a plan in place to assess and respond to any data breach that might occur.
How we can help
We have three fixed-price packages that can assist you to comply:
Mandatory Data Breach Reporting Package ($5000 + GST). This package includes our Data Breach Reporting Manual, template Incident Response Plan, Emergency Checklist, template Notification Letters and one hour of a privacy lawyer’s time.
Vendor Data Management Package ($4000 + GST). Many data breaches occur because vendors expose your data in some way. It is critical to have strong contractual data management provisions in place with any vendors who handle personal information for you. This package includes a detailed Data Security Schedule for Vendor Agreements (annotated), Negotiation Playbook, FAQs and one hour of a privacy lawyer’s time.
In addition we can do a data breach simulation exercise with your organisation to stress test how ready you are to comply with the new laws.
Complete Data Breach Protection
It is critical to have a data breach response plan setting out what to do if a data breach occurs. Many breaches arise from weaknesses in external service providers’ IT systems, rather than your own systems. It is therefore important to have a vendor cyber-risk management framework in place.
For an actual or potential cyber-incident (including data breach and network interruption), having a ‘breach coach’ in place is crucial. As your ‘breach coach’, we will work with you to provide a streamlined response by assessing the size and nature of the incident, taking steps to contain it, and co-ordinating our panel of carefully selected third party vendors, all the while managing stakeholders’ interests and mitigating potential loss.
Our early involvement and establishment of legal professional privilege protects you to the maximum extent possible as far as sensitive communications are concerned.
Our dedicated team of experts can help you plan for, or manage, a data breach. To find out more, contact Nick Abrahams or Tricia Hobson.