Online survey and form building service Typeform recently reported a data breach had taken place in its systems. While the vulnerability has been patched, Australian companies that use the form building software, ranging from Airtasker and Bakers Delight to the Tasmanian Electoral Commission, have revealed some data may have been compromised during the breach. The effects of the data breach are far-reaching, with the potential to affect many more companies.

This article sets out the steps you should take if your business has been affected by the breach. Specifically, it explains whether you need to notify your customers of the breach and how you can safeguard your business against future breaches.

What is the Typeform Data Breach?

Typeform is a Barcelona-based Software as a Service (SaaS) provider. It provides software to companies for online surveys, competitions and webforms. Hackers attacked Typeform’s data backups for surveys conducted before 3 May 2018 and gained access to personal information. According to the affected companies, this information included names and email addresses. For some organisations, such as the Tasmanian Electoral Commission, the data breach is more serious as the breach compromised electoral details for up to 4,000 voters. 

Does Your Business Need to Comply with the Notifiable Data Breach Scheme?

If your business needs to comply with the Privacy Act 1988 (Cth), it should also comply with the Notifiable Data Breaches (NDB) scheme. Under the NDB scheme, a business must report severe privacy breaches to the Office of the Australian Information Commissioner (OAIC). Businesses must also notify the individuals affected by the breach.

The Privacy Act and NDB scheme apply to certain entities in Australia such as:

  • entities with an annual turnover of more than $3 million (including charities and not-for-profit organisations);
  • health service providers (including gyms);
  • some small businesses (including those selling or purchasing personal information); and
  • entities that ‘opt-in’ and choose to comply with the Australian Privacy Principles.

Other small businesses might also need to comply with the NDB scheme. 

What You Should Do if You Think a Notifiable Data Breach Has Occurred

When it comes to reporting, it is not enough that a data breach has occurred. The breach must also satisfy the following criteria:

  • your business must have had unauthorised access to or unauthorised disclosure or loss of personal information. For example, a database is hacked as in the Typeform incident;
  • the loss, access or disclosure is likely to result in serious harm to a person; and
  • your business has not been able to prevent the likely risk of serious harm.

What is Serious Harm?

Your business must assess the breach to determine if it is likely to cause serious harm. You must do this within 30 days of the suspected data breach occurring.

The NDB scheme lists the relevant matters that can assist you in determining whether the data breach will result in serious harm. These include:

 

Relevant Matter Explanation
Sensitivity of the information Disclosure of sensitive information such as medical records or sexual orientation is much more likely to cause serious harm.
Type of information Even if the information is not ‘sensitive’, certain kinds of information such as credit card details, Medicare numbers or drivers licences may be more likely to result in serious harm.
Whether security measures protect the information If the information remains encrypted, and those who can now access it cannot break the encryption, release of the information may not have caused serious harm.
The nature of the harm Releasing credit card details will have immediate and serious consequences. In comparison, releasing only a person’s name will not.

 

However, ‘serious harm’ is not limited to financial loss. It can also include identity theft, loss of employment opportunities, workplace bullying and reputational damage. Therefore, your assessment procedure must consider all possible types of harm.

In the case of the Typeform data breach, your business will need to assess the type of information hacked and whether the breach is likely to cause serious harm. In any event, you might decide that it is good business practice to inform your customers if a data breach has occurred. This is particularly so if the breach has been in the media.

How to Report Notifiable Data Breaches

If you have reasonable grounds to believe that your business has suffered a reportable data breach, you must notify the individuals affected by the breach, for example, by email. You must also inform the OAIC. Your notifications should include:

  • the business and its contact details;
  • a description of the data breach;
  • the type of personal information that was disclosed; and
  • your recommendations regarding the steps individuals should take to respond to the breach. For example, by changing their password.

How Can I Prepare My Business For Data Breaches?

If your business needs to comply with the NDB scheme, you should update your privacy policy and procedures. The OAIC also recommends that you prepare a data breach response plan.

Furthermore, you should review any IT contracts under which your business discloses or receives personal information. As part of this review, you should seek control over determining whether a notifiable data breach has occurred. Therefore, you should not leave it to the other party to make the assessment.

Data Breaches in the European Union

If your business collects personal information belonging to EU residents, you may need to comply with additional reporting requirements in the EU’s General Data Protection Regulation (GDPR). If your business needs to comply with the GDPR, you have up to 72 hours to notify the relevant supervisory authority of a reportable personal data breach. The reporting requirements require that you:

  • describe the nature of the personal data breach, the categories and approximate number of people and data records concerned;
  • have a contact point in your business where the supervisory authority can obtain more information;
  • describe the likely consequences of the data breach; and
  • describe any measures taken, or proposed to be taken, by your business to address the breach and where appropriate, any measures taken to mitigate adverse effects.

The GDPR imposes fines on businesses for non-compliance of up to ten million Euros. Therefore, you should develop or update any internal breach notification procedures and set up adequate data breach identification systems. You should also have a data breach response plan to ensure you are well-prepared in the event of a data breach.

Key Takeaways

You should always prepare your business in the event a data breach happens. This is especially the case if your business needs to report notifiable data breaches or comply with the GDPR. To do this, you must create assessment procedures to determine if a data breach if notifiable, draft a data breach response plan and review your IT contracts. This means you will be in a better position to respond to a potential data breach and protect your customers against unauthorised access to or use of their data.

If you believe your business has been involved in the Typeform data breach, or if your business needs help to comply with the Notifiable Data Breaches scheme or the GDPR, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Lauris De Clifford
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
Would you like to get in touch with Lauris about this topic, or ask us any other question? Please fill out the form below to send Lauris a message!