As a developer, you may develop apps for purposes such as entertainment, information or social networking. Mobile apps may also collect personal information such as names, email addresses or location data. If the data is lost, misused or stolen, you may have a data breach. This article explains the steps you need to take if you discover a data breach in your app.

What is a Data Breach?

A data breach is where someone gets unauthorised access to personal information without the person’s consent. Personal information is any information that identifies a person, such as their email address or their name. 

Hackers can steal data through planned criminal attacks. However, human error or IT failures can lead to data breaches. Examples of data breaches in apps include:

  • a criminal group that hacks your heart monitoring app to publish sensitive medical information about its users; 
  • an employee forgetting to encrypt sensitive data on the app; and
  • a glitch in the app which allows the theft of private photos that are published online without user consent. 

What are Your Legal Requirements?

If a data breach occurs, your business may have to comply with the Notifiable Data Breach (NDB) scheme. The scheme sets out rules on how to report data breaches and applies to any business that has an annual turnover of more than $3 million. Exceptions to this turnover rule apply, such as if your business:

  • is a health service provider;
  • a credit reporting body; or
  • receive tax file numbers (TFNs), such as when you are paying employees and require their TFNs to comply with tax rules.

However, not all data breaches require reporting. The NDB scheme only requires the reporting of an ‘eligible data breach’ where:

  1. there is a loss of personal information, disclosure to an unauthorised person or unauthorised third party access;
  2. the loss, access or disclosure may lead to a risk of serious harm to a person or people; and
  3. your business could not prevent the risk of serious harm.

For example, hackers access data of people who have signed up to use your heart monitor app. They steal information about their names, email addresses and medical conditions. The hacking group then publishes that information online. This situation would be an ‘eligible data breach’.

However, if an app developer accidentally receives customer data from your app because they were testing a feature, they can quickly patch the loss of data. As no one is at risk of serious harm in that situation, there is no need to report the data breach. 

How Do I Respond to a Data Breach in my App?

If you suspect a data breach in your app, you should follow these steps to keep your customers safe and comply with your legal requirements.

1. Contain the Breach

Limit the spread of lost data. Ensure you can recover any lost customer information. Check who has access to back-up data systems. Find out who is in control of the data proceedings and change permission settings immediately.

2. Assess the Breach

You must assess the seriousness of the breach within 30 calendar days. You should analyse the events that led up to the breach as well as the immediate fallout. Determine if any serious harm is likely to occur.

3. Determine if the Breach is Serious.

You should ask yourself questions such as:

  • what is the harm?;
  • did the breach cause any loss of sensitive information about users of the app?;
  • did the breach reveal sensitive information like credit card or driver’s license details;
  • who has access to the information because of the breach;
  • is the information encrypted?; and
  • will there be serious physical, psychological, emotional, financial or reputational harm to the person or people affected by the breach? 

4. Notify Affected Individuals At Risk of Harm

Notify the individuals who use your app. You can email them about the data breach. Explain:

  • the events that have occurred;
  • what information has been affected; and
  • practical steps individuals can take to limit risk, such as removing their credit card details from the app or cancelling their account for a new account. 

5. Notify the Office of the Australian Information Commissioner (OAIC)

You must write a statement that summarises how the breach occurred, any lost data and the impact of the breach on your customers. You must then submit the statement to the OAIC. There is an online form that provides a template for how to write the statement.

5. Review The Incident

To prevent future data breaches, you should carefully review how you handled the incident. You may want to create a data breach response plan that sets out the steps your business will take if there is another data breach. It can be useful for businesses to have a quick reference on how to comply with the NDB scheme requirements.

7. Update or Create New Documents

You should have an IT Security Policy that states how you prevent data breaches within your app. In addition, your policy can explain:

  • how the business prevents misuse of customer data and information;
  • how users access devices that hold information and what level of access they receive;
  • the mobile app’s security standards; and
  • an incident response procedure.

You can also draft a Privacy Compliance Manual to train employees to comply with any data breach notification requirements if they affect customer privacy. The manual should contain information on: 

  • the use, disclosure and storage of personal information;
  • use of personal information for marketing purposes;
  • a complaint procedure for customers.

Key Takeaways

Keeping your customer data safe is essential for your business’ reputation. Ensure you create a data breach response plan so you know to deal with any future data breaches within your app. Find ways to limit the risk of future data breaches by reviewing existing policies. If a data breach does occur, ensure you comply with all the legal requirements under the NDB Scheme. If you have any questions, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page. 

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.
  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy