NDB legal obligations affecting all Australian businesses
With the Notifiable Data Breach scheme (NDB) in place, businesses are now legally obligated to own their security protocols. Malcolm Burrows, Principal of Dundas Lawyers discusses the far-reaching implications of the NDB and how it may affect all Australian businesses.
With information easily stored and contained across millions of databases worldwide, Malcolm discusses the pre-planning systems businesses should be addressing now to protect personal information held about their customers.
The NDB relates to an organisation with a turnover of $3M or more, “However, there is a whole range of other exceptions.” Malcolm says the NDB is more broad-reaching than what it might initially seem. It requires a series of steps for an entity to be compliant within the Privacy Act.
“For example if you own an accounting practice and you’re not turning over $3M, you may think that you don’t need to do anything… Well you do, because you hold tax file numbers and personal information.”
The Privacy Commission organised a descriptive guide on what businesses have to do. However, Malcolm believes the procedures would “have to be evaluated further for larger organisations to have effective policies and systems.”
“You can imagine at 2.00am a CEO of a large tech company gets hacked and all of their data is leaked What does the CEO do? Who notifies the CEO in the first place? You need steps in place in order to minimise harm for the affected individuals.”
Important steps for businesses to consider:
- How do you identify a data breach?
- How is it reported?
- How does it come to the CEO’s attention?
- Then what is the business meant to do?
Business pre-planning will help avoid problems
Effectively it’s a pre-planning scenario. In the event of the occurrence of an eligible data breach and serious harm occurs, if you don’t have systems and processes in place to deal with it, the Privacy Act provides for civil penalties to be administered. Effectively there is a pecuniary penalty provision in place.
Serious interferences with privacy can get penalties up to $420K so it’s not something to ignore. There are different sections, which are a different part of the legislation, where a business can incur fines of up to $1.8M.
Malcolm goes on to say, “On the one hand the NDB is complex, but on the other hand it is simple. This is the irony of this sort of thing.” Important questions for businesses to ask include: ‘What sort of information does an organisation collect and store about individuals?’ Each organisation will be different.
Identifying if the business needs the personal information that they collect should also be a priority. Malcolm asks, “Do you collect someone’s address? Do you need the address?” Businesses need to modify systems so unnecessary problems are not created because they collect unnecessary information “If a business doesn’t need to collect personal information about an individual—then don’t collect it in the first place.”
The ease of anonymity
The National Privacy Principles, or NPP, provides guidelines for businesses collecting information and to allow an individual the opportunity to give details anonymously. “I have to laugh when I fill out surveys and I’m asked questions like ‘What’s your date of birth?’. I always ask ‘Why do you need to know? I’m an adult. If you’re letting me into a pub, there might be a reason to prove I’m over 18. But if you don’t have to store that information about me—then why ask? Those sorts of things are part of a process of reviewing compliance with the Australian Privacy Principles (APP).”
There are simple things organisations can do to be more secure. “Like making sure they have simple, robust password policies. So, if someone loses the company laptop, then it’s not going to be hacked.” One of the big ones/pitfalls is making sure “off-site backups are encrypted because if they’re lost that data could also be hacked.” Those are systemic things which can be done by organisations to protect the personal information they store.
There’s a wide spread misconception about what personal information is. Some people have a perception that it’s about whether ‘I’m a Virgo or a Cancer’. Put simply it is information capable of identifying an individual. “We see a lot of organisations taking that information and encrypting it. There are also processes in place to limit access to personal information by a having public key—private key encryption scenario,” says Malcolm.
Businesses can also engage in an audit of privacy practices to determine what information is needed and what is actually collected. “You can be an eligible organisation and not collect any information about individuals, or not store it, so effectively that would mean it’s very simple for you to comply.”
Many businesses are choosing a managed service provider (MSP) to help with security. Malcolm advises to thoroughly research MSP practices. “You can say that’s not our problem—they’re dealing with it. It’s not good enough to simply take that approach.” Businesses need to take steps to make sure that particular entity is compliant.
Case study at the pub
“The last time I went to a pub it was for an event. They were asking questions for their database. I said well, ‘What for? What do you need that for?’.” Now if it was for a marketing campaign there are boundaries on that and it does overlap as spam to an extent. There are spam laws but largely a lot of information they didn’t need to collect.
There needs to be an understanding of what the business is using information for. Where the business can take information but make it anonymous. “You don’t need to deal with me as an individual, sending me a ‘Dear Malcolm’ on my birthday if I go to your pub. It’s a bit of a stretch isn’t it? However if I’m a platinum member and I’ve paid for some discount promotion, and I’ve opted in, then that’s another story.”
Earning under $3M—what are your legal obligations?
Technically businesses under $3M (provided that they don’t fall within one of the exceptions) don’t have to comply depending on the nature of what they do. However, there are many tech companies turning over less than $3M, but provide services to businesses turning over more than $3M. “Therefore, the question is in that case, ‘Is their lack of compliance causing their client to be un-compliant?’.
If you’re providing services to another company it may mean that your actions put them in breach if you do nothing.
If a company is outsourcing a certain aspect of its IT function “there needs to be a duty to make enquiries about their security protocols and to ascertain if they are compliant with the Privacy Act.”
Testing the system
There needs to be a culture where it’s OK to report things. Malcolm says, “For tech companies it’s not just about a breach where there’s a potential loss of personal information. It’s how do they report a new security vulnerability? How do they deal with that and action it, and prove they’ve actioned it? That to me is a huge concern. It’s one thing to act on something, but to have a system in place to address things quickly, test that system and then provide proof of what was done after the fact is very important.”
Terry Group Consulting (TGC) will be highlighting different perspectives of experts within the field of cyber security. We thank Malcolm Burrows, Legal Practice Director at Dundas Lawyers, for his legal expertise.
Next week, Jeremiah Dowd, Senior Security Consultant at Proficio, will be featured.