This article is more than 24 months old and is now archived. This article has not been updated to reflect any changes to the law.
The mandatory notifiable data breach scheme (NDB Scheme) in the Privacy Amendment (Notifiable Data Breaches) Act 2017 is in force.
The NDB Scheme requires relevant organisations to notify any affected individuals in circumstances where there has been unauthorised access to, disclosure of, or loss of, personal information held by the organisation, where a reasonable person would perceive that the access or disclosure of such information is likely to result in a real risk of "serious harm" to any individuals affected by the breach, be it physical, psychological, emotional, financial, or reputational damage.
Raph Goldenberg, Partner and Andrew Thompson, Special Counsel, CIE LegalWith the NDB Scheme now in operation, it is worth considering two recent high-profile data breaches to illustrate how the NDB Scheme might apply in similar scenarios.
In October 2017, Domino's Australia notified customers that it was investigating a potential issue with a former supplier's systems which may have led to the access of a number of customer email addresses, names and store locations where customers placed orders. The data was used to send phishing emails to Domino's customers which looked legitimate by addressing them by first name and mentioning their local suburb in an attempt to provoke a reply.
While the personal information did not include information such as financial accounts, credit or debit card numbers or other sensitive information, the combination of names, addresses and store purchase locations could have created a greater risk of harm to the individuals (including locating them with the possibility of physical harm) than a single piece of information. The amount of data about the individuals concerned, the potential for them to be located using the data, and the fact that this much information about the customers ended up in the hands of a 'phishing' email sender, would surely have made it a notifiable data breach under the NDB Scheme.
Uber recently announced that it was subject to a hack in which its customer data was downloaded from a third party cloud server used by Uber. The data included names, email addresses and mobile phone numbers of 57 million users worldwide and, in some cases, Uber drivers' licence numbers. Uber allegedly paid $USD100,000 to the hackers in order to conceal the breach.
Uber has allegedly stated that it does not consider an email address to be personal identifiable information, and claims that no user's financial, credit card, or journey information was accessed. As with the Domino's case, the combination of the various types of personal information breached, and the significant extent of the breach, would likely mean that this would be a notifiable breach under the NDB Scheme.
If the Domino's and Uber breaches were notifiable breaches under the NDB Scheme, each would need to:
Businesses and organisations should ensure that they have a "data breach response plan" with clear roles and responsibilities assigned to staff to contain, assess, evaluate, and if necessary, notify affected individuals and the OAIC of the breach. A robust plan will not only minimise the impact of the breach, it will help achieve compliance with the NDB Scheme. This is especially important given the significant consequences of non-compliance, including penalties of up to $1.7 million as well as potential compensation for damages.
The OAIC has provided a useful flow chart on how to respond to a data breach – see https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/flowchart.pdf.
Qualifications: LLB (Hons), BCom, University of Melbourne
Andrew is a Partner in Maddocks Tax and Structuring team. He has significant experience in advising Australian and multinational companies, high net worth individuals, accountants and financial advisers on all areas of taxation law.
Andrew regularly provides advice on:
His advice covers both direct and indirect tax considerations.
The legal information and commentary on this site is general only. Documents ordered through Cleardocs affect the user's legal rights and liabilities. To assess their suitability for the user, legal accounting and financial advice must be obtained.