Various law enforcement bodies have been hard at work since the Optus data breach became known. The federal privacy regulator, the Office of the Australian Information Commissioner (OAIC), has now joined the fray announcing that it is launching its own investigation which will focus on compliance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Organisations with a turnover of $3 million or more or who are deemed to be a health service provider must comply with the Privacy Act.

Clearly the OAIC investigation will provide a gold mine of insights and lessons for other companies on how to better manage personal information but enough information about what went wrong has already been published for companies to look to their own policies, procedures and practices for ways to reduce the risk of huge reputational and financial damage arising from a badly managed data breach.

Collecting Information

The most basic step in reducing the risk of a data breach and complying with the Privacy Act is to avoid collecting personal information that you don’t really need. An audit of the personal information that your company collects and maintains is a very good idea in order to obtain an understanding of the size of your privacy risk.

Keeping and Disposing of Information

One of the issues brought to light as a result of the Optus breach was the type of personal information that Optus kept, such as the 100 point identity check, even though it appeared to be no longer relevant. Some of this information needed to be retained under the Telecommunication (Interception and Access) Act 1979 (Cth), which applies to telcos, however, electronic data storage has enabled vast amounts of records to be retained almost indefinitely. This capability makes it extremely tempting for very prudent risk managers to keep records indefinitely. Storing paper files in archives in “the olden days” at least forced some review of documentation as the need to find and pay for storage space would act as a deterrent to eternal retention. However, APP11 requires an organisation to only keep information for as long as necessary to satisfy the reason for which it was collected (and any legislative requirements). It also requires the information that it holds to be current and correct (APP 10).

Developing a records management policy that provides guidance about when information is no longer required will go a long way towards satisfying both APP 10 and 11. Of course, some discretion must be built into the policy to address personal information that should be kept for a longer period, for example. where there may be a reasonable risk of litigation in the future. Organisations that deal with children and young people will be aware that the children and young people may be able to take legal action a number of years after they legally become adults for actions that occurred while they were minors. Child abuse cases have shown us that some personal (and organisational) information should be kept almost indefinitely.

Data Breaches (Notifiable Data Breach Scheme)

The Privacy Act requires organisations that hold personal information to have a plan to manage data breaches. Furthermore, where a breach is likely to result in a risk of serious harm to any of the individuals whose personal information is involved, it is mandatory for the organisation to notify affected (or potentially affected) individuals and the OAIC. In the context of data breaches, “harm” is quite broadly defined to include serious physical, psychological, emotional, financial or reputational harm.

Each organisation is required to have a data breach response plan which essentially consists of:

1. containing the breach to prevent any further information spillage
2. assessing whether the data breach has been contained and whether there is a risk of harm to affected individuals
3. where possible taking action to remediate any risk of harm
4. if there is a risk of serious harm (an “eligible data breach”), notifying the individuals and the OAIC
5. reviewing the incident and considering actions that can be taken to prevent future breaches.

Each breach is likely to be a little different but having a clear plan communicated to employees about who to contact and when, once they become aware of, or suspect that there has been, a data breach is key to improving the chances of containing the breach. It is particularly important to build a level of trust so that employees will report their concerns rather than hide a data breach because of a fear of repercussions.

Not all data breaches are going to have serious consequences and so not all data breaches will need to be reported. However, as with most dealings with regulators, the sooner you let them know that there is a problem the more likely they are to be able to assist you (you are unlikely to be the first company coming to them with a particular problem). It is probably even more important for individuals affected by the breach to be advised as soon as possible together with measures that your organisation is taking, and possible measures the individual can take, to mitigate the risk. Note that individuals and regulators may become very annoyed if they only become aware of a problem late in the piece.

Cybersecurity (APP 11)

We will leave it to the experts to provide insights on the technical aspects of preventing hacking learned from the Optus breach, but it is important to remember that human error is one of the leading causes of data breaches. Companies can reduce this risk with regular cybersecurity training for employees to help them identify cybersecurity threats such as phishing. They should also have a strong emphasis on password protection: enforcing password resets at regular intervals, educating employees to not use simple, easily predictable passwords, not sharing passwords, and setting company laptops and desktops to require logging in if the keyboard has not been used for a period of time.

The Australian Cyber Security Commission (ACSC) has emerged as a particularly useful government agency to assist with helping organisations and individuals manage incidents of cybercrime.

Educating Staff

This element has not been placed last as a matter of priority but because it encompasses all of the issues that have been raised above. Employees should be regularly provided with learning in various formats to reinforce the following:

• querying the need to collect or hold unnecessary information in their area of work
• remembering to use complex and different passwords and not use the same password for a number of different applications, for example, their social media account and work account
• good cybersecurity practices
• what to do if they become aware of or suspect that a data breach has occurred.

Key (Interim) Takeaways

• Only collect personal information that your company really needs – conduct an audit.
• Only keep personal information for as long as you need it.
• Have a Data Breach Response Plan that is communicated to all employees.
• Educate your employees to know their responsibilities in relation to protecting personal (and confidential) information.
• Regularly check the effectiveness of your company’s cybersecurity practices.
• Nominate a Privacy Officer – this is not a legal requirement but they will be the person who will be able to coordinate, communicate, monitor and oversee your organisation’s compliance with the Privacy Act and be a central contact point should there be a data breach.

Useful Resources

• Australian Cyber Security Commission (ACSC) for reporting incidents of cybercrime and assistance in managing the incident
• Office of the Australian Information Commissioner (OAIC) for further information on your organisation’s obligations to protect personal information and to notify eligible data breaches.