We’ve been active in communicating around breaches within particular industries, breach requirements across the 50 states and the effects of GDPR on data retention, breach notification and email security. Now, with Australia’s breach notification requirements in effect, there’s another consideration to add to the fold.
As of February 22nd, 2018, Notifiable Data Breaches (NDB) came into effect. It requires agencies and organizations in Australia, as covered by the Privacy Act, to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as possible after becoming aware of the breach.
As we’ve discussed in previous articles, harm standards can often be ambiguous. Australia implementing NDB as a standard at the national level means there is less ambiguity and room for interpretation about what constitutes a justifiable data breach notification. Data breach notifications aren’t necessarily required unless a standard of harm has been met, but often authorities don’t provide clear rules to follow that help determine what makes up serious harm to users, customers or consumers.
The Australian government has thus laid out a significant number of guidelines that permit a step-by-step understanding of what can be legally considered a “data breach” and how to determine whether that breach is likely to cause “serious harm” and thus justifies a notification.
Essentially, these guidelines are pretty familiar to the data breach world. Sensitive information is considered to justify notification if there is a possibility that malicious actors could obtain the information and use it to inflict harm or defraud the individual OR be used to circumvent any related security technology or methodology.
According to Australia’s NDB the following kinds information would be considered sensitive:
- Information about an individual’s health;
- Documents commonly used for identity fraud (including a Medicare card, driver’s license or passport details);
- Financial information;
- Any combination of types of personal information that allows more to be inferred about an individual than may already be known.
Generally speaking, the sensitivity of the victims’ information, the size of the breach, the circumstances of the breach, the length of time by which the information could be accessed and more, are all criteria used to determine whether a breach notification is required. This extends to the potential harm that may result from the breach, which could include but is not limited to:
- Identity theft
- Significant financial loss by the individual
- Threat’s to an individual’s physical safety
- Loss of business or employment opportunities
- Humiliation, damage to reputation or relationships
- Any form of bullying or marginalization
Beyond notification, organizations are expected to remediate any data losses while also providing for better protection thereafter, whether it is through data encryption, limited access or other means. Solutions like Secure Email Encryption can be critical in these circumstances, while general email protection can also provide more blanket coverage against the risks of a data breach and the subsequent drama of notification and remediation.
As we can see, Australia is joining an international group of nations implementing federal data security policies (like the EU, Canada and others). It is likely only a matter of time before the US follows suite. There are important ramifications to these breach notification regulations. How do you think data protection may evolve to affect international business (no matter the size)?