As I write this article, around 11 million Australians are dealing with the consequences of Optus IT and Medibank systems being hacked.
As leaked information includes dates of birth, names, phone numbers, addresses and driver licence, passport and Medicare numbers, the prospect of identity theft and other fraud is very real, meaning victims may spend significant time dealing with potential exposure.
How much time? This depends on the extent of misuse. Some, such as those involving fraudulent bank transactions may only result in only minimal inconvenience and financial impost if raised quickly.
However, serious cases, such as a complete takeover of a victim’s identity, take a lot longer. In 2017, Australian Institute of Criminology surveys found victims of misuse of personal information spend an average of 35 hours responding to the victimisation. Of those cases, around half were resolved in under 3 hours1 meaning the average time for the other half must have been close to 70 hours (nearly 2 full working weeks).
In 2018-19, the estimated direct cost of identity crime to individuals in Australia was $500 million and the total cost, including direct and indirect costs of prevention and policing, was $3.1 billion.
According to Scamwatch (managed by the ACCC) in 2020 there were 20,939 reported incidents (about 57 per day). That was before the Optus and Medibank hack information was available, so a significant increase in these numbers is likely.
A data breach also impacts an entity’s reputation, and is likely to damage their commercial interests. In 2020, the top two concerns identified by respondents to the OAIC National Community Attitudes to Privacy Survey were identity theft (76% of respondents) and data security and data breaches (61%).2
One can only imagine that these concerns will be even higher post-Optus and Medibank. So, protecting consumer data is going to be even more in focus.
Best practice to avoid a data breach
The protections in the Privacy Act alone can’t prevent a data breach occurring. Entities must take active steps to manage personal information and guard against a data breach occurring.
Having a Privacy Management Plan (PMP) is one of the most effective risk management strategies. A PMP describes the measures an entity will take to ensure compliance with privacy obligations and identifies specific, measurable goals and targets.
The privacy maturity of the entity should be assessed in the PMP. This can then be used to establish a scalable, risk-based approach and set benchmarks that are assessed on a regular (generally annual) basis. The maturity assessment assists an entity determine how well it has implemented its privacy program to date and will flag any gaps or opportunities. Privacy maturity gaps are red flags for potential compliance issues and whether the entity’s privacy policy and notices are adequate.
The next steps in the PMP typically involve setting compliance actions to address compliance gaps and actions to improve privacy maturity. These actions should be reviewed once the PMP has been implemented to see how well the entity has delivered against its PMP.
To manage privacy risks on an ongoing basis, privacy threshold assessments (PTA) should be conducted for all projects involving personal information to determine the potential privacy impacts.
A PTA will indicate if there is a high privacy risk. In these cases, entities should conduct a Privacy Impact Assessment (PIA) for the project. A PIA is a systematic assessment of the project with reference to the Australian Privacy Principles that:
- describes the personal information flows in a proposal
- analyses the possible privacy impacts of those flows
- assesses the impact the project may have on the privacy of individuals
- explains how those impacts will be eliminated or minimised.
If a data breach occurs, what happens next?
In response to a data breach, an entity should follow these four key steps:
- Contain the breach—immediately
- Assess the breach to identify and mitigate risk—as a priority
- Notify affected individuals—as soon as possible
- Review and adapt to learn and improve practices—as soon as the dust has settled.
Notification considerations
The main objective of the Notifiable Data Breach Scheme in the Privacy Act is to ensure that individuals (and the Information Commissioner) are notified of serious data breaches.
If the Scheme applies, an entity must notify affected individuals of the breach and identify mechanisms that they can take to manage the consequences of the data breach. This may include advice about:
Mechanisms to limit the possible consequences, such as applying for a Commonwealth Victim’s Certificate (used to re-establish the person’s credentials or help explain fraudulent transactions)
Support organisations such as IDCARE (a not-for-profit support service for victims of identity crime which provides support in the form of counselling and assistance in recovering lost funds and identity credentials)
Sources of information that will provide information on how the consequences of a data breach might be managed, such as the eSafety Commission, the OAIC and so on.
However, there may be circumstances where it may not be in the best interest of the individual to be informed of the breach (such as where notification could cause undue stress or harm to the affected individual). In such circumstances, entities should seek the advice of the Information Commissioner, as it is the Commissioner who must decide if individuals should not be advised of the breach.
The widespread and critical commentary about a perceived failure on the part of Optus and Medibank to keep individuals informed demonstrates the potential pitfalls for communications about data breach. This also demonstrates the importance of ongoing communication and the need to adapt the communication strategy as the matter evolves.
References
- Franks C & Smith RG Australian Institute of Criminology Statistical Report 29—National Identity Security Strategy Identity crime and misuse in Australia 2019
- Australian Community Attitudes to Privacy Survey 2020, Office of the Australian Information Commissioner website
How Proximity can help
enquiries@proximity.com.au
or call 1800 959 885
Proximity personnel have very significant experience in providing advice and assistance in managing privacy issues, including in the having assisted with the development of privacy management plans, PTAs, PIAs and data breach response plans.
We can work with you to develop and implement a strategic approach to managing privacy for your organisation, including by:
- providing advice and assistance with day to day privacy issues
- developing key strategic documentation such as privacy management plans, and
- providing advice on management significant issues such as identification of potential data or privacy breaches and implementing mitigation or management strategies.
