We store personal data for diverse purposes: health services store patient information, retailers store past purchases and buyer preferences, charitable organisations store information about past donations. In some cases, organisations are required to hold onto this information for tax or other compliance purposes.
Personal data is a valuable asset, but it’s also one that must be managed with care, and the costs of mismanagement are high. In their recent Cost of a Data Breach Report 2021, which offered information from 537 real data breaches across 17 countries and regions and 17 industries, IBM reported that 2021 had the highest average costs to date, with data breach costs reaching $4.24 million USD.
What is a notifiable data breach?
A data breach is what occurs when personal information is accessed or disclosed when it should not be, or else when it is lost.
Personal information, under the current Privacy Act 1988, is defined as:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not.
A data breach can affect the individuals’ whose data has been compromised. Negative outcomes can range from identity theft, reputation damage and fraud to family violence or harassment.
The notifiable data breaches (NDB) scheme falls within the purview of the OAIC. Under this regulation, organisations must notify the OAIC and affected people if there is a breach and if it is likely to cause serious harm.
Who has to comply with the notifiable data breaches scheme?
At the current time, the NDB scheme applies to organisations covered by the Privacy Act 1988, which means that small businesses with an annual turnover of $3 million or less are usually exempt, unless they fall under another protected category (such as, for example, health services).
A failure to comply with the Privacy Act 1988, or a failure to notify the OAIC and affected individuals under the NDB scheme, may result in serious fines, and will almost certainly result in a loss of trust from those whose personal information the organisation holds. Preserving critical customer relationships is also a compelling reason for small businesses, who may be otherwise exempt under the law, to comply voluntarily.
What to do in case of a breach
It is a worst case scenario, but not all breaches can be foreseen and prevented. For example, a data breach can occur due to unlikely events such as the theft of office equipment, or even due to disasters like fires or flash floods. Agencies and organisations subject to the Privacy Act should be familiar with their obligations and responsibilities, and to help address that the OAIC has a wealth of guidance and advice available, including on the matter of responses to data breaches.
How do you prevent a data breach?
Whether or not a data breach has the potential to cause harm and become notifiable, it’s important to treat personal information with respect and care. It is much better to avoid any kind of breach than it is to respond to it, no matter how good the response plan.
There are several things that you can do to help prevent a data breach:
- Keep systems up to date. Doing so will ensure that bugs are removed and loopholes closed, and prevent technical vulnerabilities that could compromise personal data.
- Eliminate dirty data. Poor quality data, outdated data or duplicated records can contribute to the inappropriate exposure of personal data and create confusion about processes. These problems should be reduced as much as possible.
- Ensure staff understand data privacy obligations. The people who access and use a given system are its most vulnerable point. Quality staff training and clear documentation will help make sure your staff identify phishing scams, prevent unauthorised access, and understand what they should disclose in the course of their work.
- Data governance is key. A strong data governance policy will help you ensure your whole organisation is aligned with best practice data management. This includes assessing business priorities and creating policies about what information to store, how, and where.
Typically, addressing a data breach is a costly and inconvenient disruption to an organisation’s daily operations, and has long term effects upon its reputation and relationships with the people who trust the organisation with their personal information. In the case of data privacy, an ounce of prevention is worth a pound of cure.