Australian Retailers Association

Time to prepare for data breach notification obligations in 2018

Australian retailers with a turnover of $3 million or more, or those that trade in personal information, will be obligated to notify individuals affected by certain data breaches involving personal information from 22 February 2018. The Australian Information Commissioner must also be notified.

The Notifiable Data Breaches scheme notification requirements are triggered when a data breach that is ‘likely to result in serious harm’ to an individual occurs. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.

Understanding whether a data breach can result in ‘serious harm’, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the breach within a maximum of 30 days.

The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at www.oaic.gov.au/ndb.

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.

Example data breach scenarios

Malicious software allows attacker to intercept payment information

An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website.

Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that are at likely risk of serious harm.

Subscriber error results in account information being shared with the wrong person

A staff member for a retail chain store mistakenly mails a loyal customer’s $50 rewards voucher to the wrong address. The business finds out about the mistake when the customer rings to inform them that the voucher has not been delivered, despite an email telling the customer to expect it.

The business revisits their record of the rewards vouchers sent to customers, and finds that the customer’s address is incorrect. They know that it is likely the rewards voucher, and any personal information in the mail, was delivered to the wrong person.

The business quickly assesses the likelihood of serious harm to their customer. As the mail contained only the customer’s name and the retail business is not known for particular products or affiliations that could infer sensitive information about the customer (such as political opinion, religious beliefs, or health information), they determine that the requirements of the NDB scheme do not apply.