The danger of data: How data breaches can cost retailers
The loss of personal data is now a common story worldwide, with over 143 million people recently having their private information including names, Social Security numbers, birth dates, addresses and even some credit card numbers being stolen in the Equifax data breach. A study by IBM has found that the average cost for a data breach is $3.62 million USD. As such, it is not surprising that the Australian Government has introduced new laws regarding data breaches and the requirement of mandatory disclosure where a data breach has occurred or is suspected as having occurred.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1977 to require entities to notify both the Australian Information Commissioner as well as all affected individuals where an eligible data breach has occurred or is reasonably suspected to have had occurred. Eligible data breaches are where there is unauthorised access or disclosure of personal information, credit reporting or eligibility information or tax file numbers and which a reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals.
The reporting requirements affect entities already covered by the Privacy Act and as such will exclude State or Territory authorities, certain agencies, registered political parties and small business with an annual turnover of $3 million or less. Failure to abide by the requirements constitutes a “serious interference with the privacy of an individual” which includes the Commissioner conducting investigations, enforceable undertakings, payment of compensation and penalties of $420,000. The reporting requirements begin on 23 February 2018.
Retailers should be aware both of these new requirements but also of the broad scope of information that is covered by it. The definition of “personal information” is very broad and can include many documents that might not necessarily be considered personal data including contact details, CCTV footage and resumes. Most modern marketing for retailers today involves the collection of significant amounts of personal information that will fall under the scheme. Where the loss suffered by persons due to data breaches in quantifiable (such as in the case of credit card fraud) retailers will face the risks of litigation including costly class action proceedings.
In light of both these changes as well as the continuing requirements of the Privacy Act and Privacy Principles, it is more important than ever for retailers to take stock of their privacy policy and how safely their data is both collected, stored and distributed.
Alex Collie, Lawyer
Paul Carroll, Partner