Australia's mandatory data breach notification scheme: better late than never
The Bill is the latest of several proposals over recent years to introduce mandatory data breach notification scheme. It was widely believed after the introduction of the Bill into the House of Representatives in October 2016 that it would pass through the Senate prior to the end of the parliamentary year, particularly given its bipartisan support. However, the Bill seemed to fall off the parliamentary agenda as Christmas approached and many feared it would ultimately lapse.
However, after second and third readings on in the House of Representatives on 7 February 2017 and an introduction to the Senate the following day, the Bill passed a week later. Australian Greens Senator Scott Ludlam proposed a number of changes to the Bill, each of which were voted down and the Bill passed intact.
The Bill should receive Royal Assent in the near future and become an Act (the ‘Amendment Act’) amending the Privacy Act 1988 (the ‘Privacy Act’). The provisions within the Bill state that it will commence on a single day fixed by proclamation. However, if the provisions do not commence before 12 months from the day the Bill receives Royal Assent, the Amendment Act will commence on the day after the end of that period. Therefore, it is likely that organisations will have a twelve month period to prepare themselves for compliance with the Scheme.
For those entities dealing with a current eligible data breach it is important to note that the amendments to the Privacy Act apply to a data breach that happens after the commencement of the Amendment Act. In the event that they involve a sustained attack on a system over a lengthy period of time, it is possible that a number of long running data breaches will qualify for the Scheme once the Amendment Act comes into effect meaning that some entitles may be required to take immediate steps to comply with the Scheme.
Until now, there has been no legal obligation for organisations in Australia to notify regulators or individuals of security breaches, which affect personal information with the exception of entities holding health information. However, the Amendment Act creates a legal obligation on government and business to report data breaches to the Office of the Australian Information Commissioner (‘OAIC’) and affected individuals.
The Amendment Act was drafted after a lengthy community consultation period, and aims to strike a balance between the need for individuals to know when their personal information has been compromised, and the costs of notification to organisations.
Who will be affected by the Amendment Act?
The new Scheme applies to all entities that are currently subject to the Privacy Act – this includes Commonwealth government agencies and private sector organisations with an annual turnover exceeding $3 million. There are specific exceptions for small businesses, agencies which are subject to secrecy provisions and law enforcement agencies in certain circumstances.
Understanding the amendments to the Privacy Act Agencies and organisations subject to the Privacy Act which experience a data breach in relation to personal information will have 30 days to assess whether the breach is an “eligible data breach” and must be notified under the Scheme.
Essentially, an “eligible data breach” occurs if:
- there is unauthorised access to or unauthorised disclosure of personal information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the personal information relates. A “data breach” under the Amendment Act is not limited to hacking or theft of data. It also covers accidental loss or disclosure of data which may result from, say, a system being left unsecured or a memory stick being left in a taxi.
The inclusion of the words “is likely to” is important as the breach itself does not necessarily have to have caused serious harm before the entity is required to comply with the Scheme.
“Serious harm” is not defined in the Amendment Act, but could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
It is also important to note that whilst a data breach may cause distress or upset to an individual this would be insufficient to require notification, unless a reasonable person in the entity’s position would consider that the likely consequences for those affected individuals would constitute a form of “serious harm”.
Responding to a data breach
If an organisation has “reasonable grounds” to believe that an eligible data breach occurred or the OAIC directs an organisation to do so, it must give notification to the OAIC as well as the affected individuals. Notification must include a statement stipulating:
- the identity and contact details of the entity;
- a description of the eligible data breach;
- the kinds of information concerned; and
- recommendations about the steps individuals should take in response to the eligible data breach.
When notifying affected individuals, the entity may use the communication method it normally uses to contact the individual, such as email, mail or telephone. The Amendment Act also provides the entity with the discretion to notify either each affected individual, or if not all affected individuals are considered to be “at risk” from the data breach, only the ‘at risk’ individuals. Further, if it is impractical to notify every affected individual, either collectively or only to those “at risk”, the entity can instead publish a notice on its website and take reasonable steps to publicise that notice.
Penalties for non-compliance with the scheme
Agencies or organisations which do not notify the OAIC and/or the affected individuals of a serious data breach will be in breach of the Privacy Act. The agency or organisation may also have breached Australian Privacy Principle 11 if the data breach was a result of inadequate security measures.
The OAIC may require the entity to make a public apology and pay compensation to the affected individuals. Civil penalties could also apply for serious or repeated non-compliance with the notification requirements.
Australian agencies and organisations need to take action now to ensure they are ready when the Amendment Act comes into effect, which will most likely be early next year.
It is important to have a data breach response plan in place. A data breach response plan should set out how the agency or organisation will respond to a breach and provide clear processes and checklists for staff to follow, particularly in the first few hours after an incident. A comprehensive data breach response plan should include:
- office and after-hours contact details for key personnel involved in the response;
- allocation of responsibilities for investigating the breach, putting in place temporary measures to mitigate the effects of the breach and communicating with the OAIC and affected individuals;
- checklists for assessing whether the data breach is eligible for notification under the Amendment Act and assessing other risks associated with the data breach; and
- template documents to notify the OAIC and affected individuals of the breach.
Organisations should also review their policies of insurance to ensure that they are covered for the costs of data breach notification. Many standard corporate insurance policies (such as general liability and directors’ and officers’ policies) now expressly exclude coverage for cyberattacks and accidental loss of personal information. Many insurers now offer cyber liability or data protection policies which specifically cover this risk – these policies first became popular in the USA, after many US states introduced mandatory data breach notification requirements in the early 2000s.
The OAIC has indicated that it will be supporting agencies and organisations to prepare for the commencement of the scheme and will be hosting a series of events over the next twelve months through the OAIC’s Privacy Professionals Network.
Kennedys has experienced data privacy and cyber liability teams who can answer your queries about the Scheme and assist your organisation put a data breach response plan in place.
This article was prepared with the assistance of Kate Pitcairn.