We have previously advised on the recent amendments to the Privacy Act1 requiring entities who are regulated by the Act to now report both actual and suspected breaches of the Act to the Privacy Commissioner and to an individual who will potentially be affected by the breach.2
Whilst most APP entities (broadly a business with a turnover of more than $3M per annum)3 are aware that they need to have a Privacy Statement on their website, and are aware of the mandatory reporting requirements, other important issues are emerging which require careful consideration.4
A key area of risk to your organisation is in relation to information that your organisation shares with third parties.
APP 11 requires APP entities to take active measures to ensure the security of personal information they hold or disclose. Specifically, APP 11.1 states that an APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure – including form third parties to whom they disclose the information.
You can obtain permission from an individual to disclose their information to a third party for certain purposes. However, you will need to consider whether your organisation is protected, as far as practicable, in respect of data breaches by that third party.
Whilst you can require a third party contractor to have adequate data protection systems in place, you will be unable to prevent an inadvertent data breach caused by human error, or a situation where the third party’s data is hacked.
If you share data with a third party, and their security is breached, your organisation can still be found liable for that breach.
Whilst ultimately you may be able to prove that no loss has been suffered by an individual in respect of that breach, the costs of doing so can be significant.
Now is the time to review your standard form contracts with suppliers and other third parties to ensure that they cover the issues of data breach.
You need to ensure that, as far as practicable, your organisation is protected in those circumstances.
You can ensure protection, as far as practicable, in the following ways:
As a minimum, your standard contracts should be amended to deal with the following issues:
You need to consider if the contracting party should hold appropriate insurance for these risks.
Coverage for cyber security breaches varies significantly between insurers.
You need to speak to your broker to ensure you understand exactly what cover you have in place to protect your organisation should there be a cyber breach and, importantly, what your organisation does not have cover for.
It is common for cyber insurance polices to cover the following losses:
Typically, and importantly, your organisations internal administration costs and the costs of fines and penalties are not covered by your insurer.
By taking steps to review your standard form contracts and your insurance cover now, you can minimise, as far as practicable, the risk to your organisation from a cyber attack or an inadvertent breach of the Act.
[1] 1988 (Cth) (Act)
[2] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WL.
[3] Privacy Act 1988 (Cth) s 6(1).
[4] Privacy Act 1988 (Cth) Schedule 1: Australian Privacy Principle 1.3.