DC
← Back to writing
Compliance 5 min read Feb 2023

Did You Know That You Are Required to Report a Cyber Incident?

Welcome back. This week, we continue our look into incident response. I thought this week we would cover some common questions about cyber incidents, including:

  • What to do if you have a breach.
  • If the worst case occurs, how to make a report and ensure you inform the proper authorities, including ADHA and other government functions.

My Business Holds Personal Health Information; What Are My Responsibilities If I Am Breached?

If you hold personally identifiable information (PII) and personal health information (PHI) and experience a data breach in Australia, you have several responsibilities under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). These responsibilities include:

  1. Notification: You must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of a data breach likely to seriously harm any individuals whose personal information is involved.
  2. Investigation: You must conduct a reasonable and expeditious assessment of the data breach to determine the scope of the breach, the cause, the types of information affected, and the potential harm to affected individuals.
  3. Remediation: You must take reasonable steps to contain the data breach, prevent further harm, and mitigate the associated risks.
  4. Prevention: You must take reasonable steps to prevent future data breaches, such as implementing robust security measures, regularly reviewing and updating security practices, and providing staff training on privacy and security.
  5. Record-Keeping: You must keep a record of all data breaches, including the date and type of breach, the types of information involved, the remedial action taken, and whether the affected individuals were notified.

Failure to comply with these obligations can result in significant fines, penalties, and reputational damage. In addition to these legal obligations, it is also imperative to prioritize the protection of PII and PHI through robust security measures and ongoing monitoring and review of your data protection practices.

Who Do I Need to Report a Breach To?

If you have experienced a cyber breach, you can make a report to the following organisations:

  • Australian Cyber Security Centre (ACSC): The ACSC is the Australian government’s leading authority on cyber security. They provide advice and assistance on cyber security incidents and threats. You can report a cyber breach or incident to them through their website: ACSC Report.
  • Australian Cybercrime Online Reporting Network (ACORN): ACORN is a national online system that allows individuals and businesses to report cybercrime incidents. You can report a cybercrime incident by visiting: ACORN Report.
  • Scamwatch: Scamwatch is a website run by the Australian Competition and Consumer Commission (ACCC) that provides information on how to avoid and report scams. If you have been the victim of a cyber scam, you can report it at: Scamwatch Report.

It’s important to report cyber breaches or incidents as soon as possible to help prevent further damage and to increase the chances of identifying and prosecuting the perpetrators.

What About My Obligations Under My Health Records?

In Australia, the My Health Records Act 2012 (Cth) outlines several responsibilities regarding the Australian government’s My Health Record system. These include:

  1. Privacy and Security: When handling PHI in the My Health Records system, you must comply with the My Health Records Act 2012 and the Australian Privacy Principles. This includes implementing appropriate privacy and security controls to protect the confidentiality and integrity of PHI.
  2. Reporting: You must report any data breaches or unauthorised access to PHI in the My Health Record system to the Office of the Australian Information Commissioner and the Australian Digital Health Agency.

What Are the Penalties for Not Complying With the Rules?

Under the Notifiable Data Breaches (NDB) scheme in Australia, if an organisation experiences a data breach that is likely to result in serious harm to any individuals whose personal information is involved, they must report the breach to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals as soon as practicable.

The penalties for not reporting a cyber privacy breach in Australia can include:

1. Civil Penalties

  • The OAIC can seek civil penalties for serious or repeated breaches of the NDB scheme.
  • The maximum penalty for a serious or repeated breach:
    • $10 million AUD for a body corporate
    • $2 million AUD for an individual

2. Criminal Penalties

The My Health Records Act 2012 (Cth) outlines penalties for non-compliance, including fines and potential criminal charges.

  • Unauthorised access or disclosure of PHI in the My Health Record system can result in:
    • Up to 2 years imprisonment for an individual
    • Up to 10 years imprisonment for a corporate body

3. Additional Civil Penalties

  • If a healthcare provider fails to obtain an individual’s consent before uploading their PHI to the My Health Record system, they may be liable for a civil penalty of:
    • Up to 5,000 penalty units (currently $1.11 million) for a corporate body
    • Up to 1,000 penalty units (currently $222,000) for an individual

4. Reputational and Business Impacts

Beyond financial and legal penalties, non-compliance can result in:

  • Reputational damage: Violating privacy laws can damage your pharmacy’s reputation, potentially impacting customer trust and loyalty.
  • Loss of business: Customers may choose to take their business elsewhere if they feel their data is not adequately protected.

Ensuring compliance with privacy and security regulations is critical for protecting your business, maintaining trust, and avoiding severe penalties.