A reminder that on 22 February 2018, the Commonwealth Government passed into law the Privacy Amendment (Notifiable Data Breaches) Act 2017 which creates a notifiable data breaches (NDB) scheme nationally. Agencies and organisations are obliged to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”.

The NDB scheme generally applies to Government agencies, businesses and not for profit organisations with an annual turnover of more than $3M. Once an agency or organisation becomes aware of a relevant data breach which is likely to result in serious harm to an individual, it must promptly notify the individual(s) at risk, as well as lodging a notification statement with the Office of the Australian Information Commissioner (OAC). Failure to comply with these steps can attract fines of up to $2.1 million.

The OAC has released a helpful response summary to assist those impacted by the NDB scheme understand their obligations once a breach has occurred. Briefly these are as follows:

1. 1.Contain – take immediate steps to limit any further access or distribution of the information.
2. 2.Assess – consider whether the breach is likely to result in serious harm to any individuals (within 30 days). Where           possible, attempts to take remedial action should be considered and taken.
3. 3.Notify – prepare and lodge a notification statement to lodge with the OAC and notify all affected individuals.
4. 4.Review – reflect on the incident and take action to prevent further breaches in the future

Insurers should be aware of the likely implications the NDB scheme will have on both Insurers and Insureds alike, particularly in the provision of Cyber Insurance. It is essential to maintain compliance with the scheme and to ensure response plans are in place for when a breach occurs. Once a breach occurs organisations should consider their options carefully and consider obtaining legal advice to ensure compliance with the scheme.

This would also be a good time to review privacy policies to reflect new obligations.

Read more here.