Within sight: a new mandatory notification of data breaches scheme for Australia?
February 2017 | PROFESSIONAL INSIGHT | DATA PRIVACY
Financier Worldwide Magazine
Australia finally looks set to introduce a new scheme requiring the mandatory notification of eligible data breaches to both the privacy regulator and affected individuals.
While the voluntary notification of data breaches to the privacy regulator and affected individuals is encouraged in Australia pursuant to a non-binding guide introduced by the regulator several years ago, there is currently no provision in the Commonwealth Privacy Act 1988 (Privacy Act) providing for mandatory notification. This issue is at the heart of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Privacy Bill), which was introduced to the Commonwealth House of Representatives by the federal attorney general toward the end of 2016.
The introduction of a mandatory notification scheme for data breaches in Australia is widely considered long overdue.
The increased use of internet, mobile technologies and the Internet of Things is posing ever-growing challenges for privacy protection. A number of high-profile data breaches, which have affected Australian organisations and individuals, have heightened awareness of the risks that accompany these technological advances.
We recently surveyed board members, c-suite and senior risk, information technology and legal executives with a view to gaining insights into the cyber resilience capabilities of Australian organisations. The results showed only a moderate level of preparedness and confidence in data protection. In fact, 70 percent of surveyed organisations were neutral or dissatisfied with their current preparedness to address cyber risks.
It therefore seems time for Australia to join many of its global counterparts in introducing a national mandatory data breach notification scheme.
Mandatory notification – a potted Australian history
While the Privacy Act requires Australian government agencies and specified private sector organisations to put in place reasonable security safeguards and take reasonable steps to protect the personal information they hold, there is currently no provision requiring the mandatory notification of data breaches (although mandatory notification should be at least considered in the context of complying with the reasonable steps obligation). This is despite the recommendation of the Australian Law Reform Commission that mandatory notification be introduced, save for circumstances where such notification would impact a law enforcement investigation or otherwise be contrary to public interest.
The existing voluntary data breach notification scheme, intended to apply where there is a real risk of serious harm, has not resulted in the widespread notification to the privacy regulator or affected individuals following a breach event.
Several bills have previously been introduced to the Australian parliament providing for the establishment of a framework for the mandatory notification of serious data breaches, but all have lapsed, largely due to a number of recent changes in Commonwealth government and leadership. Assuming there is bi-partisan support for the Privacy Bill, however, there seems to be reasonable prospects that Australia will finally have a new mandatory notification law for data breaches.
The Privacy Bill – key concepts
The Privacy Bill proposes to introduce a requirement that the Australian privacy regulator and relevant individuals be notified in the event of an ‘eligible data breach’. An eligible data breach occurs where there is actual (or likely) unauthorised access to, disclosure of, or loss of personal information (and some certain other specified information, including credit information) and a reasonable person in the entity’s position would conclude serious harm to individuals to whom the information relates is likely to result.
The concept of ‘serious harm’ is broadly construed. The Explanatory Memorandum accompanying the Privacy Bill states that it could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. The Privacy Bill includes the following non-exhaustive list of matters to be taken into account when determining the likelihood of serious harm occurring: (i) the kind of information and sensitivity of information; (ii) whether the information is protected by security measures (and the likelihood that such measures would be overcome); (iii) the persons (or kinds of persons) who have (or could) access the information; (iv) the nature of the harm; and (v) any other relevant matters.
A number of exceptions apply to the definition of ‘eligible date breaches’. One critical exception occurs where an entity takes remedial action before the breach results in serious harm, which makes it unlikely that such harm will subsequently occur. Other exceptions include where notification has already been made by another entity.
The Privacy Bill introduces a new positive obligation to investigate suspected data breaches. The introduction of this obligation is intended to reduce the risk of notification fatigue in relation to data breaches which are not serious. If an entity has reasonable grounds to suspect there may have been an eligible data breach, the entity must carry out a reasonable and expeditious assessment. Reasonable steps to undertake the assessment must be taken within 30 days (after becoming aware of reasonable grounds for suspicion).
If an entity becomes aware (whether by the process of assessment or otherwise) of an eligible data breach, then the entity is obliged, as soon as practicable, to prepare a statement setting out certain specified information for the privacy regulator. Where it is practicable to do so, the entity must also take reasonable steps to notify the contents of the statement to affected individuals. If the notification to individuals is not practicable, alternative steps must be taken to publish the contents of the statement (for example, on the entity’s website).
Failure to comply with the mandatory notification requirements would be deemed as interference with privacy. The existing Australian enforcement regime will continue to apply, and the privacy regulator could require affected organisations to take steps, including the payment of compensation, the giving of an apology or a direction to take or refrain from taking certain action.
No doubt, potentially affected entities and their legal advisers will continue to closely monitor developments in relation to the new Privacy Bill.
In the interim, there are certain practical steps that Australian entities may take in order to ensure a smooth transition in the event the Privacy Bill becomes law. These steps should include reviewing existing data breach response and notification plans in light of the potential new obligations.
Pending the introduction of the new proposed mandatory notification law, entities (whether subject to the Privacy Act or otherwise) that are exposed to a data breach should also revisit the existing voluntary data breach notification scheme. Consideration should be given to whether voluntary notification to the privacy regulator and affected individuals will assist entities in managing the breach and mitigating any reputational damage.
Paul Kallenbach is a partner and Veronica Scott and Leah Mooney are special counsel at MinterEllison. Mr Kallenbach can be contacted on +61 3 8608 2622 or by email: firstname.lastname@example.org. Ms Scott can be contacted on +61 3 8608 2622 or by email: email@example.com. Ms Mooney can be contacted on +61 3 8608 2622 or by email: firstname.lastname@example.org.
© Financier Worldwide
Paul Kallenbach, and Veronica Scott and Leah Mooney