A cyber or data breach incident occurs when personal and/or sensitive information held by an individual or organisation is the subject of unauthorised access or disclosure or is lost.

The effects of a cyber or data breach incident can be devastating for affected individuals and for your organisation.

It can result in system downtime, significant financial and reputational damage and regulatory action.

Personal information is any information or an opinion about an identified individual or an individual who is reasonably identifiable.

Common types of information that are targeted include health records, banking details and personally identifiable information such as name, date of birth, address, telephone number, tax file number, signature and photographs.

Unauthorised access or disclosure often occurs in the context of cyber attacks, such as phishing or ransomware attacks, as well as physical office break-ins or accidental or intentional disclosure by employees.

Notifiable Data Breaches scheme

Organisations that are subject to the Privacy Act 1988 and the Notifiable Data Breaches scheme are required to complete an assessment of a data breach within 30 days of becoming aware of reasonable grounds to suspect that there may have been an ‘eligible data breach’ and must notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable after the organisation confirms that an eligible data breach has occurred.

All organisations that provide private health services and hold health information are subject to the Privacy Act 1988, regardless of size or annual turnover.

The broad definition of ‘health service’ under the Privacy Act 1988 means that private hospitals, pathology laboratories, pharmacists, aged care and palliative care providers, allied health practitioners and medical practitioners providing health services in a private capacity are all likely to be subject to the Privacy Act 1988 and the Notifiable Data Breaches scheme.

An eligible data breach occurs when unauthorised access or disclosure of information has occurred or is likely to occur and is likely to result in serious harm to affected individuals.

Disclosure of sensitive information such as health records increases the risk that the disclosure will result in serious harm.

If remedial steps can be taken within the 30-day window, with the result that the data breach is not likely to result in serious harm, notification may not be required.

How to prepare for a cyber or data breach incident

The frequency, scale and sophistication of cyber attacks continue to increase dramatically each year.

All organisations that are in possession of health records and personal information should be taking the following steps at minimum.

Determine whether your organisation is subject to the Privacy Act 1988 and has control over personal information such as health records, banking details or other kinds of personally identifiable information.

Implement data security policies for collecting, storing and protecting personal information, including multi-factor authentication, regularly updating antivirus and anti-malware software, encryption programs and data backup arrangements.

Provide regular cyber security awareness training to staff, including with respect to phishing attacks and effective password protection.

Review contracts with third-party data storage or management service providers to ensure that they have adequate data security policies, comply with your privacy obligations and contain appropriate remedies for breach.

Prepare an incident response plan that identifies who to notify, initial steps that can be taken internally to investigate the incident, external consultants with expertise in managing cyber and data breach incidents, and which people in your organisation will be responsible for internally coordinating the response.

Having a robust incident response plan in place at the time of a suspected breach increases the prospects of mitigating the risk of serious harm before the 30-day deadline for eligible data breach assessment.

How to respond to a cyber or data breach incident

Immediate action is required to mitigate the risk of serious harm to affected individuals as well as reputational and legal risks arising out of a cyber or data breach incident.

In the first 24 hours, activate your incident response plan, including notifying your broker/insurer and appointing legal and forensic IT experts if appropriate.

In the first 48 hours, work with your forensic IT experts to investigate, contain and remediate the system issues.

In the first 72 hours, based on the findings of your forensic IT experts and options for remediation and restoration of data, work with your legal, privacy and public relations experts to determine regulatory reporting requirements and a strategy for communication to the Office of the Australian Information Commissioner, affected individuals and/or the public.

Following the event, reflect on the lessons learned with respect to the effectiveness of the incident response as well as how to improve data security policies and IT systems to prevent a similar incident occurring in future.

Engaging external consultants

Legal consultants with specialist expertise in responding to cyber and data breach incidents are invaluable in providing immediate incident response, crisis management and privacy law advice as well as engaging and coordinating:

• forensic IT services to investigate, contain and rectify the cause of the unauthorised access or disclosure
• public relations services to advise on crisis communication to customers or the public regarding the incident
• internet and credit monitoring services to provide identify theft monitoring and protection.

This article is part of the risk management series facilitated by the APA’s insurance partner BMS and written by law firm Lander & Rogers.

Disclaimer: This fact sheet is for general information purposes only and cannot be regarded as legal advice. Although all care has been taken in preparing this fact sheet, advice must be sought from competent legal practitioners in relation to any particular matter or concern that you or your organisation may have. In arranging this insurance for our members APA is acting as a distributor of BMS Risk Solutions Pty Ltd (BMS) AFSL 461594, ABN 45161187980. The insurance is issued by BMS under binder with Certain Underwriters at Lloyds. When acting under a binder BMS acts as agent for the insurer and not as your agent.