Mandatory Data Breach Notification in the Australian Gambling Sector

New law commenced on 22 February 2018

The Privacy Act 1998 (Cth) regulates how personal information is required to be managed and protected. This law was recently amended to require businesses to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of certain data breaches.

Gambling operators and venues collect, use and hold a considerable amount of personal information, including identity document details. The ramifications of suffering a data breach involving this type of personal information can be substantial in terms of costs and disruption to the business and damage to affected individuals and the reputation of the business.

Those gambling operators which are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) must comply with these new data breach notification requirements.

Is your gambling business prepared to meet the new mandatory data breach reporting requirements?

What is a data breach?

A data breach occurs when personal information held by an organisation is lost or is accessed by, or disclosed to, unauthorised entities or individuals. This can happen when, for example, IT systems are hacked or a laptop is left on a train.

Data breaches have become a fact of modern commercial life. Inadvertent disclosures, stolen data and cyber-security attacks cause substantial harm to businesses and customers alike. It has been estimated that more than 9 billion data records have been lost or stolen globally since 2013.

Who has to comply with the new requirements?

The data breach notification requirements apply to businesses with an annual turnover of $3 million or more. As stated above, businesses which are reporting entities under the AML/CTF Act must also comply regardless of their turnover.

When does notice have to be given?

Under the new mandatory data breach notification scheme (NDB scheme) notice has to be given when either a business or the OAIC has reasonable grounds to believe that an “eligible data breach” has occurred.

There will be an “eligible data breach” where:

• there is unauthorised access to, or unauthorised disclosure of, personal information; or
• information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, personal information is likely to occur; and
• a reasonable person would determine that access or disclosure would likely result in “serious harm” to any individuals to whom the information relates.

“Serious harm” is assessed from the standard of the reasonable person. Harm is defined broadly and includes serious physical and psychological harm, serious harm to reputation and serious financial or economic harm. On its own, an individual’s upset or distress as a result of a data breach would probably not be sufficient to require notification unless a reasonable person would consider that serious harm would likely result for affected individuals. A data breach involving the details of a person’s gambling account has the potential to result in serious harm to the affected person.

What are the notification requirements?

If a business has reasonable grounds to believe that an eligible data breach has occurred, it must promptly notify individuals who are likely at risk of serious harm. The OAIC must also be notified as soon as reasonably practicable.

The notification to affected individuals and the OAIC must include, at least:

• the name of the business and its contact information;
• a description of the data breach and the information involved; and
• recommendations to individuals about the steps they should take in response to the data breach.

Businesses can use the methods of communication that they ordinarily use to contact these individuals. Notice can be given via emails, phone calls, SMS or a social media post.

Where a business has outsourced services or entered into a shared services arrangement, if the breach involves more than one party, only one party is required to notify affected individuals and the OAIC.

What are the exceptions?

Notification of an eligible data breach will be mandatory unless an exception applies. Exceptions include:

• if the business has taken remedial action promptly so that a reasonable person would conclude that the breach is not likely to result in serious harm to the affected individuals; or
• if the OAIC grants an exemption from compliance to a business.

What are the consequences of contravening the law?

A failure to comply with the law has severe consequences. The maximum penalty for contravening the law is $2.1 million. Businesses may also have to pay compensation to individuals for any loss or damage caused by the data breach. Directors can also be personally liable for any failure to act with reasonable care and diligence in respect of cyber security. Class actions may also be brought in respect of data breaches.

Beyond the legal consequences, data breaches have a substantial negative impact on businesses. Data breaches can erode the trust and goodwill of those engaging with direct selling businesses. The damage caused by data breaches to the reputation of a business is significant and may even be irreparable.

What can your business do to handle a data breach?

Be prepared! There are numerous steps that you should be taking, if you have not done so already. These steps include but are not limited to:

• Perform a Cyber Health Check to assess whether your business is resilient against data breaches – This Check has been devised by Addisons in conjunction with leading technology and risk management experts. Conducting a Check will identify your business’ risks and vulnerabilities and provide recommendations as to how risks can be reduced.
• Implement privacy enhancing technologies, such as access control, encryption and intrusion detection and ensure that the adequacy of systems is regularly monitored and reviewed.
• Develop a data breach response plan – It is important that your business is able to react quickly to identify and contain breaches, comply with any reporting obligations under the NDB scheme (or other legislation if, for example, your business is a publicly-listed company), carry out remedial action, deal promptly with media and stakeholder attention and restore public confidence. Having a data breach response plan also helps a business meet their obligations under the Privacy Act, which includes taking reasonable steps to protect the personal information it holds.
• Review your contractual arrangements with third parties with a focus on privacy issues. In some circumstances, it will be important to address issues, such as ensuring the expedient investigation of a breach by the contractor; that the contractor promptly notifies your business if it becomes aware of a suspected breach; and which party will be responsible for assessment and notification, if required. Indemnities should be sufficient and the costs of addressing breaches etc should be considered.
• Conduct training to ensure staff and contractors are aware of security and fraud matters (as well as policies) and consider appointing a person / team who are responsible for these matters.
• Consider whether your insurance is adequate.

If you would like further information on mandatory data breach reporting and how you can be better prepared for the NDB scheme, please don’t hesitate to contact us.

---

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.