Australia's new data breach notification laws take effect today

On 22 February 2018, Australia became the latest country to introduce a mandatory data breach notification law.

What is mandatory data breach notification?

Until now, there has been no legal obligation for businesses in Australia to notify regulators or individuals of security breaches which affect personal information. While the Office of the Australian Information Commissioner (“OAIC”) encouraged notification, the majority of breaches went undisclosed.

The Privacy Act now requires Commonwealth government agencies and large private sector businesses to report serious data breaches to the OAIC and affected individuals.

Who does the requirement apply to?

The new mandatory data breach notification scheme applies to all entities that are currently subject to the Privacy Act – this includes Commonwealth government agencies and private sector organisations with an annual turnover exceeding $3 million. It also applies to small businesses which trade in personal information or are contractors to the Commonwealth government.

Which data breaches need to be notified?

Agencies and organisations which experience a data breach in relation to personal information will have 30 days to assess whether the breach must be notified under the scheme.

A data breach will be notifiable if:

• There is unauthorised access to or unauthorised disclosure of personal information (or loss of personal information in circumstances where unauthorised access to or unauthorised disclosure is likely).
• A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any of the individuals to whom the personal information relates.

A “data breach” is not limited to hacking or theft of data. It also covers accidental loss or disclosure of data which may result from, say, a system being left unsecured or a memory stick being left in a taxi.

“Serious harm” could include physical, psychological, emotional, economic or reputational harm. Whether serious harm is likely will depend on a range of factors, including the type of personal information involved and how it could potentially be used, the persons who have gained access to the information, as well as whether the information was encrypted or otherwise protected in any way.

What does notification involve?

If an agency or organisation has “reasonable grounds” to believe that an eligible data breach has occurred, it must notify the OAIC and affected individuals as soon as practicable. The OAIC may also direct an agency or organisation to notify affected individuals.

The agency or organisation may either notify all individuals to whom the personal information relates, or only those individuals who are considered to be “at risk” from the data breach.

The notice must set out:

• The identity and contact details of the agency or organisation
• A description of the breach
• The types of personal information that were disclosed
• Recommendations about the steps that affected individuals should take in response to the breach.

The notice may be given by the communication method the entity normally uses to contact the individual, such as email, mail or telephone.

If it is impractical to notify every affected individual, the entity can instead publish a notice on its website and take reasonable steps to publicise that notice.

What are the penalties for not notifying?

Agencies or organisations which do not notify the OAIC and/or the affected individuals of a serious data breach will be in breach of the Privacy Act. The agency or organisation may also have breached Australian Privacy Principle 11 if the data breach was a result of inadequate security measures.

The OAIC may require the entity to make a public apology and pay compensation to the affected individuals. Civil penalties of up to $1.8 million could also apply for serious or repeated non-compliance with the notification requirements.

What does your organisation need to do?

If they have not already, Australian businesses should take action now to ensure they are ready if and when they suffer a notifiable data breach.

It is important to have a data breach response plan in place. A data breach response plan should set out how the business will respond to a breach and provide clear processes and checklists for staff to follow, particularly in the first few hours after an incident. A good data breach response plan should:

• Provide for technical investigation of incidents to determine whether a data breach has occurred.
• Set out when a data breach must be notified and, for breaches which the law does not require to notified, the organisation’s policy on when to notify.
• Set out the process and responsibilities for preparing and approving notices, contacting the OAIC, and contacting individuals.
• Identify appropriate external legal and PR contacts to assist in notification and managing publicity around an incident.

Businesses should also check their insurance coverage to ensure that they are covered for the costs of data breach notification. Many standard corporate insurance policies (such as general liability and directors’ and officers’ policies) now expressly exclude coverage for cyberattacks and accidental loss of personal information. Many insurers now offer cyberliability or data protection policies which specifically cover this risk – these policies first became popular in the USA, after many US states introduced mandatory data breach notification requirements in the early 2000s.

Kennedys has experienced data privacy and cyberliability teams who can answer your questions about the new mandatory data breach notification scheme and help your business put a data breach response plan in place.