As a developer, you may develop apps for various purposes, such as entertainment, information or social networking. Your application may collect personal information such as names, email addresses, location data and more. If someone loses, misuses, or steals data, your company may face a data breach. This article explains the steps you may need to take if you discover a data breach in your app and considers what laws might apply.
What is a Data Breach?
A data breach occurs when someone accesses or discloses personal information without the person’s consent. It can also involve losing personal information. Personal information includes details that identify a person, such as an email address or a name.
Often, businesses think of data breaches as actions taken by hackers who steal data through planned attacks. However, human error or IT failures can also cause data breaches.
What Are Your Legal Requirements?
If a data breach occurs, your business may have to comply with the Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 (Cth). The scheme outlines rules for reporting data breaches. It applies to any business that may qualify as an APP entity or if a business is:
- a health service provider;
- a credit reporting body; or
- receiving tax file numbers (TFNs), such as when you are paying employees and require their TFNs to comply with tax rules.
However, not all data breaches require reporting. The NDB scheme only requires the reporting of an ‘eligible data breach’ where:
- there is a loss of personal information, disclosure to an unauthorised person or unauthorised third party access;
- the loss, access or disclosure may lead to a risk of serious harm to a person or people; and
- your business could not prevent the risk of serious harm.
However, if an app developer accidentally receives customer data from your app while testing a feature, they can quickly patch the data loss. As no one is at risk of serious harm in that situation, there is no need to report the data breach.
Continue reading this article below the formHow Do I Respond to a Data Breach in my App?
If you suspect a data breach in your app, you should follow these steps to keep your customers safe and comply with your legal requirements. You should always consult with an experienced privacy lawyer when responding to a data breach in your app
1. Contain the Breach
Limit the spread of lost data. Ensure you can recover any lost customer information. Check who has access to backup data systems. Find out who is in control of the data processing and change permission settings immediately.
2. Assess the Breach
You must assess the seriousness of the breach within 30 calendar days. You should analyse the events that led up to the breach as well as the immediate fallout. Determine if any serious harm is likely to occur.
3. Determine if the Breach is Serious.
You should ask yourself questions such as:
- what is the harm?;
- did the breach cause any loss of sensitive information about users of the app?;
- did the breach reveal sensitive information like credit card or driver’s license details;
- who has access to the information because of the breach;
- is the information encrypted?; and
- will the breach cause serious physical, psychological, emotional, financial, or reputational harm to the person or people affected?
4. Notify the Office of the Australian Information Commissioner (OAIC)
If required, you may need to notify the OAIC of the data breach. You can report this online using OAIC’s reporting function via the Notifiable Data Breach Form, available online here. You should notify the OAIC as soon as practicable after becoming aware of an eligible data breach and, at most, within 30 days of becoming aware.
5. Notify Affected Individuals At Risk of Harm
After you have notified the OAIC, you must notify the affected individuals who use your app as soon as practicable and explain:
- the events that have occurred;
- what information has been affected; and
- practical steps individuals can take to limit risk, such as removing their credit card details from the app or cancelling their account for a new account.
6. Review the Incident
To prevent future data breaches, you should carefully review how you handled the incident. You may want to create a data breach response plan that sets out the steps your business will take if there is another data breach. It can be useful for businesses to have a quick reference on how to comply with the NDB scheme requirements.
7. Update or Create New Documents
As part of your review, you should ensure your documents relating to privacy and data security are up-to-date and useful. You should have an IT Security Policy that states how you prevent data breaches within your app. In addition, your policy can explain:
- how the business prevents misuse of customer data and information;
- how users access devices that hold information and what level of access they receive;
- the mobile app’s security standards; and
- an incident response procedure.
You can also draft a Privacy Compliance Manual to train employees to comply with any data breach notification requirements if they affect customer privacy. The manual should contain information on:
- the use, disclosure and storage of personal information;
- use of personal information for marketing purposes; and
- a complaint procedure for customers.
This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.
Key Takeaways
Keeping customer data safe is essential for your business’ reputation. You must prepare to handle a data breach before it happens to your app. If a data breach occurs, you need to respond and follow your obligations under the NDB Scheme. Always consult with a lawyer to understand your legal responsibilities and how to react to a specific data breach.
If you need assistance understanding your obligations under Australian privacy laws, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The NDB scheme applies if personal information is lost, disclosed to an unauthorised person, or accessed by an unauthorised third party, leading to a risk of serious harm that your business cannot prevent. It’s relevant to APP entities, health service providers, credit reporting bodies, or businesses receiving tax file numbers (TFNs).
If you suspect a data breach, contain the breach, assess its seriousness within 30 days, and determine if it poses a risk of harm. If necessary, notify the OAIC and affected individuals, review the incident to prevent future breaches, and update your privacy and data security documents.
We appreciate your feedback – your submission has been successfully received.
