In late 2017 it was discovered that the multibillion dollar, international company ‘Uber’ was found to have clients data compromised – yet the business did not inform their customers of the breach, and just paid the hackers $120,000 to keep quiet.

The Notifiable Data Breach (NDB) scheme came into effect on February 22 (2018) and applies to breaches occurring on or after 23 February 2018.

Businesses need to ensure they take adequate measures to prevent a data breach and be able to respond appropriately in the event of one. All businesses and organisations should review their privacy and data security protocols to ensure that they will be able to comply with the NDB Scheme for Mandatory Data Breach Notifications when they come into force.

The main objective of the new laws is to ensure that an ‘eligible data breach’ which is defined as ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity where the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

This information would include personal details, credit reporting information, credit eligibility information and tax file number information. Serious harm could be anything that constitutes physical, psychological, emotional, financial or reputational harm.

What kinds of businesses does this scheme apply to?

The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3m or more, credit reporting bodies, health service providers and TFN recipients, among others.

It is important to remember that companies with a turnover below $3M will also be affected if they:

  • provide a health service and hold any health information (except in an employee record) including hospitals and medical practitioners as well as gyms, weight-loss agencies, child care centres and alternative medicine practices;
  • disclose personal information about another individual to anyone else for a benefit, service or advantage;
  • provide a benefit, service or advantage to collect personal information about another individual from anyone else;
  • are a contracted service provider for a Commonwealth contract;
  • are any credit reporting body; and
  • are related to a business that is covered by the Privacy Act i.e. a subsidiary of an organisation the fits one of the above criteria.

Determining whether these exceptions apply can be difficult, and the Office of the Australian Information Commissioner has pushed for a broad interpretation of these categories. If a company fails to notify a data breach, then a civil penalty can be applied for serious or repeated interferences with the privacy of an individual, which can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

For more information on insurance relating to Notifiable Data Breaches (NDB) and Cyber Risk cover, please apply online or call us on 1300 787 789.