Let’s face it, in a world of free-flowing data, every business, large and small, is vulnerable to a data breach.
But with huge penalties on the cards, can you afford even a minor breach?
Section 80W of the Privacy Act 1988 empowers the Office of the Australian Information Commissioner to apply to the Federal Court or Federal Circuit Court for an order that an entity that is alleged to have contravened a civil penalty provision in that Act pay the Commonwealth:
- if it is a a serious or repeated interference with privacy (s 13G) – 2000 penalty units (at the time of writing this article, that is a penalty of $444,000); or
- various civil penalties related to credit reporting, with penalties of either 500, 1000 or 2000 penalty units ($111,000, 222,000 or $444,000 respectively).
Unfortunately, the bad news does not stop there. Similarly, under s 56EU of the Competition and Consumer Act 2010, the Office of the Australian Information Commissioner can apply to a court for an order that a person who is alleged to have breached a civil penalty provision in that Act pay the Commonwealth a civil penalty.
Penalties under that Act can be enough to cripple a business permanently. For example, a company may be fined the greater of $10,000,000 or the value of any benefit the relevant Court determines the company, or any company related to it, obtained directly or indirectly, provided it is reasonably attributable to the contravention, multiplied by three.
Or, if the Court cannot determine the value of the benefit, the Court can order that the company pay 10% of the annual turnover of the company during the 12-month period ending at the end of the month in which the contravention happened or began.
For individuals or organisations that are not body corporates, the maximum penalty amount is $500,000.
We recently acted for a client – a family support service in regional NSW – after it experienced a data breach originating in either its own email system or its accountant’s email system. The organisation acted swiftly but were unable to determine the exact source of the breach and did not know how to respond, particularly in an environment of complex legislation and policy.
Unfortunately for our client, hackers had gained access to its file system and database, with potential access to clients’ tax file numbers, financial information and medical information. The organisation contacted Dowson Turco because it was unsure whether the matter was a reportable breach and did not know what steps it should take, in any event.
Over two days, we provided urgent legal advice on the organisation’s reporting requirements and contacted the Office of the Australian Information Commissioner on our client’s behalf. We recommended an IT investigation firm assist in the investigation of the breach and spoke to IDCare about ongoing assistance with security for our client’s employees. We also assisted with drafting communications to those affected and provided comprehensive advice on all prudent steps to take in mitigation of the breach.
As a result of our advice and the comprehensive approach our client took, no penalties were issued. Our client was extremely grateful for our help during a very stressful situation, which could have resulted in significant costs and business losses.