Cyber attacks can cause significant financial loss and reputational damage to your business. In the recent Optus data breach, hackers gained access to the personal information of over 10 million Optus customers, resulting in severe consequences for the Australian telecommunications company. This article explains your legal obligations if your business experiences a data breach, to help keep you compliant and prepared.
What is a data breach?
A data breach happens when personal information held by your business has been accessed or disclosed without authorisation, or is lost. Examples include:
- Hacking of your databases by an external source
- Loss or theft of digital devices like a work laptop which contains personal information
- Unauthorised access to personal information by employees or contractors
What is personal information?
Personal information includes any information that could identify someone, such as:
- Their name, address, or date of birth;
- Credit or financial information;
- Employment information;
- Photographs; or
- IP address.
What is an eligible data breach?
The Privacy Act requires businesses to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of eligible data breaches. An eligible data breach is one where:
- There has been a data breach (personal information held by your business has been accessed or disclosed without authorisation, or is lost);
- The breach is likely to result in serious harm to affected individuals; and
- Your business has been unable to prevent the likely risk of such harm.
When is a breach serious?
The seriousness of a breach is assessed according to all the circumstances. Things to consider include:
- The kinds of information compromised, e.g. financial information, health information or documents commonly used for identity fraud (like a passport) may be more serious
- The persons who obtained the information
- The scale of the data breach e.g. large scale is more likely to be serious
- Whether the information was protected by any security measures
What are my reporting obligations?
Organisations or agencies covered by the Privacy Act 1988 (Cth) must report eligible breaches to any affected individuals and the OAIC. Such organisations include businesses with an annual turnover of more than $3 million, and other small businesses such as those selling personal information or health service providers.
Your report should include the following information:
- Your business name and contact details
- A description of the data breach and surrounding circumstances
- Details about what information was compromised
- Recommended steps for affected individuals
- A data breach happens when personal information held by your business has been accessed or disclosed without authorisation, or is lost.
- Businesses covered by the Privacy Act notify affected individuals and the OAIC of eligible data breaches.
- Eligible data breaches are data breaches which could result in serious harm that the business is unable to prevent.
This article was written by Ruth Ong.