Uber, Ashley Madison, Equifax: these brands are known for ride hailing, infidelity and credit scores respectively, but also for the exposure of customer information.
As of today, many businesses that operate in Australia are subject to the country’s new notifiable data breaches scheme.
Lose a hard drive? Give an unauthorised person patient files? In certain circumstances, companies will have to tell the Office of the Australian Information Commissioner (OAIC) and any individual affected if personal data are lost, stolen or leaked.
If you use any services that collect details about you — from your birth date to your shoe size — here is what you need to know.
When is it personal?
Certain companies or government agencies must disclose a breach if the data includes personal information that is likely to result in serious harm.
So, what is “personal information”? Think of it as any information about a person that would identify them or allow them to be reasonably identifiable.
“It covers a broad range of information that exceed name, address — the really obvious ones,” explained Australian Privacy Commissioner Timothy Pilgrim.
This term is purposefully flexible, agreed Anna Johnston, the director of consultancy firm Salinger Privacy.
Flexibility is important because new technologies, such as machine learning algorithms, are increasingly able to re-identify data that may appear anonymous.
For example, something as simple as an IP address — essentially, your computer’s internet street address — could be used to identify you if combined with another data set that included your birthdate and internet habits.
Is the breach ‘likely to result in serious harm’?
If a data breach involves personal information, it must be disclosed if the breach is likely to result in “serious harm” to any affected individual.
This is not simply the annoyance of getting a new credit card if your number is stolen — “serious physical, psychological, emotional, financial, or reputational harm” are all included.
Consider the situation of a domestic violence survivor or a family court judge, for instance.
“There are lots of different people … who would be placed at much greater risk of harm if their home address or their history of movement — geolocation data — was exposed versus simply a credit card number,” Ms Johnston explained.
Which companies are affected?
A broad selection of Australian business and government organisations are affected by the law.
Importantly, all Federal Government agencies, businesses and not-for-profits with greater than $3 million in turnover must disclose breaches.
Businesses with less than $3 million in turnover must also disclose breaches if they trade in personal information or provide health services.
“You could be a one-person, part-time local physiotherapist,” Ms Johnston explained, “if you suffer a breach involving personal information, then these requirements are triggered.”
There are two more key categories of affected businesses: credit reporting bodies or credit providers and companies that hold tax file numbers if those tax file numbers are lost or stolen.
Even the American tech companies?
Foreign companies that operate in Australia come under the rules, but the OAIC has already been able to investigate overseas breaches that affect Australians.
Commissioner Pilgrim confirmed his office is looking into Uber’s 2016 data breach that affected at least 57 million customers, and which was disclosed in late 2017 before the data breach law came into effect.
The OAIC can also join forces with privacy commissioners overseas to investigate international data breaches.
“Two years ago, my office did a joint investigation with the Canadian commissioner’s office in the Ashley Madison breach,” he explained, referring to the infamous infidelity website hack.
“We found Ashley Madison in breach under both our laws.”
How long do they have to notify you?
Companies must tell the OAIC and those affected as soon as practicable, once they have determined the facts of the breach, whether the breach can be contained and whether there is a likely risk of serious harm to individuals.
There are some situations where a company might delay notification, however — if the police are investigating a hack and disclosure might tip off the perpetrator, for example.
What penalties might companies face?
The maximum civil fine that the OAIC can issue is $2.1 million to businesses or $420,000 to individuals, but that may not be the only punishment.
According to Mr Pilgrim, many organisations now see personal data as one of their most powerful assets.
“One of the biggest risks they have is losing the trust of their customers,” he said.
A recent OAIC survey found that 58 per cent of those surveyed would avoid dealing with a private company over privacy concerns.
“Loss of reputation, loss of share market value are ultimately why companies should be worried about the bottom line,” Ms Johnston added.
Can companies collect any data they want about me?
Under Australia’s Privacy Principles, companies cannot collect anything they like.
“Organisations can only collect information they require for their function or activity,” Commissioner Pilgrim explained.
“They run the risk collecting information they don’t need, which could be in breach of the [Privacy Act].”
In Ms Johnston’s view, American technology companies have set a problematic standard around data collection.
The American approach to privacy is to rely primarily on consumer protection law, she said, which allows US companies to often bury their data collection polices in the fine print and count that as sufficient customer disclosure.
“We do unfortunately have this kind of disconnect in Australia and much of the rest of the world, where the privacy laws say one thing and the business practices reflect something entirely different,” Ms Johnston added.