How to determine whether you have suffered an eligible data breach

In brief

From 22 February 2018, the Notifiable Data Breaches Scheme (NDB Scheme) will require all entities covered by the regime to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach.

A data breach will be an eligible data breach when the following three criteria are satisfied:

1. there is unauthorised access to, unauthorised disclosure of, or loss of personal information that an entity holds;¹
2. in circumstances where a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to affected individuals;² and
3. the entity has not been able to mitigate or prevent the likelihood of serious harm with remedial action.³

Has there been unauthorised access, disclosure or loss?

Unauthorised access, unauthorised disclosure and loss are not defined in the Privacy Act 1988 (Cth) and carry their ordinary meaning. The OAIC has provided some guidance to help understand exactly what these terms mean.

Unauthorised access refers to situations in which personal information held by an entity is accessed by someone who would not ordinarily have permission to do so. For example, this would include both data being accessed by an external hacker and an employee obtaining access to part of a database containing personal information that they are not authorised to view.

Unauthorised disclosure occurs when an entity releases personal information from its effective control in a way that is not permitted by the Privacy Act and makes personal information accessible or visible to those outside of the entity. A good example used by the OAIC is Medicines, a pharmacy chain whose customer database was unintentionally made available online to the public due to a technical error.

Loss refers to the accidental or inadvertent loss of personal information in circumstances that are likely to result in unauthorised access or disclosure. For example, where an employee inadvertently leaves an unsecured laptop on public transport.

Is 'serious harm' likely?

If you have determined that you satisfy step one of the criteria, the next question to ask is whether a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to individuals whose personal information was involved in the breach.⁴

The reasonable person test is critical in assessing whether a data breach will be an eligible data breach. Again, the OAIC has provided some guidance to help navigate this process:

The reasonable person is a person in your organisation's shoes who has been properly informed of all of the available information about the data breach. This means they possess any information that you have gathered about the breach, including its cause, nature and extent.

Likely to occur means more probable than not (and does not simply mean 'possible').

Serious harm means serious physical, psychological, emotional, financial, or reputational harm.
The NDB Scheme itself also provides a non-exhaustive list of considerations relevant to whether serious harm is likely to occur.⁵ This list can be broadly broken down into three categories:

1. The nature of personal information involved in the data breach.
   Certain kinds of personal information have far greater potential to cause serious harm to individuals if compromised. For example, in the OAIC's Medicines example, the pharmacy's customer database contained sensitive information about individuals' health care requirements, which is more likely to cause harm if compromised.
2. The circumstances of the breach.
   Serious harm to an individual may not necessarily flow directly from the kinds of information compromised, but the circumstances in which information was accessed or disclosed. Among others, the OAIC suggests asking questions like:
   • How many individuals were involved?
   • How long has the information been accessible?
   • Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible?
   • Who has gained or may gain unauthorised access to the personal information?
   • Do the circumstances of the breach affect the sensitivity of the information?
     Continuing with the Medicines example, the fact that the disclosure could associate individuals' names with certain pharmaceutical products might increase the sensitivity of the information. Similarly, if the database was made publicly available for a number of months, or its existence was published on the darknet, this might weigh in favour of serious harm being more probable than not. This is because the amount of time and, more importantly in some cases, where information is publicly available, tends to increase the likelihood of malicious actors having accessed the data.
3. The nature of the harm.
   The types of serious harm that may be relevant are broad and varied, a reality that has been acknowledged by the OAIC. However, it is important that you consider how the compromised personal information could be used, how likely it is that it might be used in a malicious fashion, and what the resulting consequences might be for affected individuals. For example, could customers of Medicines be threatened, experience humiliation or suffer damage to their reputation because of the breach? Is it more probable than not that harm will occur?

Has serious harm been prevented by remedial action?

Where an entity takes remedial action in relation to a data breach that results in the risk of serious harm to affected individuals being avoided, it will not be considered an eligible data breach.⁶ Such action can be taken before or after the data breach incident – for example, by ensuring that devices which leave your premises are appropriately secure and accessible by your IT teams. Depending on the circumstances, if you can swiftly access a lost device and determine that it has not been accessed before wiping the data remotely, this might be sufficient to qualify for the exception. Another example of taking action before the fact might be to ensure that files are properly encrypted, with the corresponding encryption keys stored in a separate and secure location. If stolen data is encrypted and incomprehensible without the proper key, there may be no likelihood of serious harm ever coming to pass.

Where personal information has been accidentally sent to the wrong address, taking remedial action after the fact might include seeking a binding assurance from the recipient declaring they did not copy the information and have deleted the material.

Of course, you should not assume that taking these types of steps will be effective in every situation. Make sure that you carry out a proper assessment of any data breach – factoring in any remedial action –but still asking the questions set out above.