The 6th Director of FBI once stated “There are only 2 types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Under the ACt, a data breach occurs where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to unauthorised access. In case of a data breach, companies are required to:
- notify the Data Commissioner without delay, within seventy-two hours of becoming aware of such breach; and
- communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.
- Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay.
Where a partner or supplier connected to your business information infrastructure becomes aware of a personal data breach, the partner/supplier is required to notify you without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.
The notification and communication of breach shall provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including:
- description of the nature of the data breach;
- description of the measures that the Company/partner/supplier intends to take or has taken to address the data breach;
- recommendations on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
- where applicable, the identity of the unauthorised person who may have accessed or acquired the personal data; and
- the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.
The communication of a breach to the data subject is not be required where the affected business/Partner/supplier has implemented appropriate security safeguards which may include encryption of affected personal data.
Businesses are required to record with the Data Commissioner information relating to a personal data breach including:
- the facts relating to the breach;
- its effects; and
- the remedial action taken