As a developer, you may develop apps for purposes such as entertainment, information or social networking. Mobile apps may also collect personal information such as names, email addresses or location data. If the data is lost, misused or stolen, you may have a data breach. This article explains the steps you need to take if you discover a data breach in your app.
What is a Data Breach?
A data breach is where someone gets unauthorised access to personal information without the person’s consent. Personal information is any information that identifies a person, such as their email address or their name.
Hackers can steal data through planned criminal attacks. However, human error or IT failures can lead to data breaches. Examples of data breaches in apps include:
- a criminal group that hacks your heart monitoring app to publish sensitive medical information about its users;
- an employee forgetting to encrypt sensitive data on the app; and
- a glitch in the app which allows the theft of private photos that are published online without user consent.
What are Your Legal Requirements?
If a data breach occurs, your business may have to comply with the Notifiable Data Breach (NDB) scheme. The scheme sets out rules on how to report data breaches and applies to any business that has an annual turnover of more than $3 million. Exceptions to this turnover rule apply, such as if your business:
- is a health service provider;
- a credit reporting body; or
- receive tax file numbers (TFNs), such as when you are paying employees and require their TFNs to comply with tax rules.
However, not all data breaches require reporting. The NDB scheme only requires the reporting of an ‘eligible data breach’ where:
- there is a loss of personal information, disclosure to an unauthorised person or unauthorised third party access;
- the loss, access or disclosure may lead to a risk of serious harm to a person or people; and
- your business could not prevent the risk of serious harm.
How Do I Respond to a Data Breach in my App?
If you suspect a data breach in your app, you should follow these steps to keep your customers safe and comply with your legal requirements.
1. Contain the Breach
Limit the spread of lost data. Ensure you can recover any lost customer information. Check who has access to back-up data systems. Find out who is in control of the data proceedings and change permission settings immediately.
2. Assess the Breach
You must assess the seriousness of the breach within 30 calendar days. You should analyse the events that led up to the breach as well as the immediate fallout. Determine if any serious harm is likely to occur.
3. Determine if the Breach is Serious.
You should ask yourself questions such as:
- what is the harm?;
- did the breach cause any loss of sensitive information about users of the app?;
- did the breach reveal sensitive information like credit card or driver’s license details;
- who has access to the information because of the breach;
- is the information encrypted?; and
- will there be serious physical, psychological, emotional, financial or reputational harm to the person or people affected by the breach?
4. Notify Affected Individuals At Risk of Harm
Notify the individuals who use your app. You can email them about the data breach. Explain:
- the events that have occurred;
- what information has been affected; and
- practical steps individuals can take to limit risk, such as removing their credit card details from the app or cancelling their account for a new account.
5. Notify the Office of the Australian Information Commissioner (OAIC)
You must write a statement that summarises how the breach occurred, any lost data and the impact of the breach on your customers. You must then submit the statement to the OAIC. There is an online form that provides a template for how to write the statement.
5. Review The Incident
To prevent future data breaches, you should carefully review how you handled the incident. You may want to create a data breach response plan that sets out the steps your business will take if there is another data breach. It can be useful for businesses to have a quick reference on how to comply with the NDB scheme requirements.
7. Update or Create New Documents
You should have an IT Security Policy that states how you prevent data breaches within your app. In addition, your policy can explain:
- how the business prevents misuse of customer data and information;
- how users access devices that hold information and what level of access they receive;
- the mobile app’s security standards; and
- an incident response procedure.
You can also draft a Privacy Compliance Manual to train employees to comply with any data breach notification requirements if they affect customer privacy. The manual should contain information on:
- the use, disclosure and storage of personal information;
- use of personal information for marketing purposes;
- a complaint procedure for customers.
Keeping your customer data safe is essential for your business’ reputation. Ensure you create a data breach response plan so you know to deal with any future data breaches within your app. Find ways to limit the risk of future data breaches by reviewing existing policies. If a data breach does occur, ensure you comply with all the legal requirements under the NDB Scheme. If you have any questions, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.