Don’t jump the gun – getting breach notification timing right

With breach events on the rise it is important to manage and respond to them appropriately.

I was chatting to a friend in the water sector last week and we were discussing the increase in data breach events occurring in that sector (and more broadly). We discussed a recent breach incident affecting a number of water utilities and the legal advice they received on notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals. The water sector in Victoria is regulated by the Department of Environment, Land, Water and Planning (or DELWP for short).

In any regulated industry it is critical to involve your regulator as early as possible, as much from a pure compliance perspective but also its just helpful to your relationship with that agency. Industry regulators who come late to the party because an organisation has kept them out of the loop are not well disposed to those organisations either at the time of the incident or moving forward. Good communication even when you do not necessarily know the full extent of a breach builds trust and goodwill. It reduces the incidence of embarrassment by the regulator particularly if the breach becomes public and the regulator is put under pressure to explain their response or respond to ministerial questioning.

However, there is a balance to be struck! Involving your industry regulator at the appropriate time in the event of a breach event is one thing. Sending off a notification to the OAIC without first investigating the breach is another. Unless the breach event needs to be notified quickly, perhaps because it falls within the 72 hour notification obligation under the General Data Protection Regulation (GDPR), it is important to note there is a longer window of 30 days under Australia’s Privacy Act, 1988.

The clock starts ticking from when you suspect an “eligible data breach” may have occurred. An affected entity will typically wish to understand what has happened at least at a preliminary level before it rushes off to notify. The PageUp case is a good example of an exception to this approach as that company had obligations to notify in both Australia and the EU which required it to notify earlier (within the GDPR’s 72 hour obligation).

Whilst the Information Commissioner encourages organisations to undertake the breach assessment more quickly than 30 days as a matter of good practice and to reduce the risk of serious harm occurring to affected individuals, this 30 day period nevertheless allows affected organisations which are perhaps involved in joint ventures or multi-party arrangements the proper opportunity to assess the incident more effectively.

During this time affected organisations may choose a lead entity to take responsibility for coordinating the overall breach response, setting up an incident response team, liaising with DELWP and making the notification to the OAIC (and affected individuals) following appropriate assessment of the incident.

Any approach which jumps the gun poses risk to the parties involved. The OAIC will likely seek further clarification, DELWP will want to know why they were not notified and other industry participants will want to know why they weren’t consulted properly.

With breach events on the rise, it is important to manage and respond to them appropriately. Make sure you properly include industry regulator consultation and notification within your incident response plan. Yes appropriate notification to the OAIC and affected individuals is important but don’t leave your industry regulator out in the cold.

Share on email
Email
Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook

Share:

Share on email
Share on linkedin
Share on twitter
Share on facebook

More Posts

TRADEMARK REGISTRATION APPLICATION IN THE USA

TRADEMARKS IN THE USA The words “trademark” and “service-mark” are often used by individuals, businesses both huge and small. In a world full of opportunities where new entrepreneurs are emerging

Contact the author

About the author

Join NEXL today and grow your reputation as an expert

As seen in…

Our Associated Domains

Get the outlook add-in

Monthly NewslEtter

Sign up to our monthly newsletter and keep up to date with our progress. We won’t spam you and only send important updates. 

NEXL Pty Ltd

2/397 Riley Street, Surry Hills NSW 2010, AUSTRALIA

Australian Business Number: 35629542043

Be one of the first to get a copy of the 2021 Global Legal Business Development Report

Get your hands on this exclusive intel, benchmark your efforts against the industry and pick up a few ideas and strategies from the experts. 

Learn how we have helped other law firms win more business with less work.

Talk to one of our business development experts and learn how you can increase your firm’s revenue using NEXL.

small_c_popup 1

Let's have a chat

See how you can increase Cross-selling and Client retention at your firm