Australian businesses have been warned they can no longer keep quiet about cyber security breaches, after the Senate passed laws mandating their disclosure 15 years after they were introduced in the US.
The long anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) was passed in the Australian Parliament on 13 February 2017. The Bill amends the Privacy Act 1988 (Privacy Act) to introduce mandatory data breach notification provisions requiring any organisation that is accountable to the Privacy Act to inform the Australian Information Commissioner and members of the public if their data has been compromised. This includes most Commonwealth Government agencies, some private sector organisations, credit reporting bodies, credit providers and tax file number recipients.
Data breach notification has been a topical issue in privacy regulation around the world for many years. In the absence of a mandatory data breach notification regime, the Australian Information Commissioner previously encouraged organisations to voluntarily undertake notification of data breaches, however, there has been no express requirement under the Privacy Act for organisations to do so. Recent high-profile data breaches such as those impacting LinkedIn, Adobe, Optus and Ashley Madison have received significant public attention raising concerns about identity fraud and driving the development of new laws in this area.
This new legislation brings Australia into alignment with other countries, like the US which have had the same requirement for years, providing Australians with greater clarity about the privacy of their personal information. It will not only affect companies in Australia but international companies with Australian operations.
Notification requirements and obligations
The new legislation requires any organisation currently subject to the Privacy Act to investigate any data breach they have suffered within 30 days. Before notifying anyone, the company will have to determine whether it is an “eligible data breach”. Broadly speaking, an “eligible data breach” will occur where:
- There is unauthorised access to, or unauthorised disclosure of, the information; and
- A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
The Explanatory Memorandum explains that serious harm is broadly construed. It could include serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation.
In order to help this assessment, the Bill contains a non-exhaustive list of relevant matters to note when determining whether ‘serious harm’ is likely, such as: the type of information, the impact the data loss will have on employees, how the information was protected and the particular steps that were taken to minimize any harm to the individual.
Following such an assessment, organisations must promptly notify the Office of the Australian Information Commissioner and affected individuals where the organisation has, or suspects there are, reasonable grounds to suspect that an “eligible data breach” has occurred. This would require the organisation to:
- Prepare a statement setting out the organisation’s identity and contact details, a description of the eligible data breach, the kinds of information concerned, and recommendations about the steps that individuals should take in response to the breach;
- Give a copy of this statement to the Information Commissioner;
- If practicable, take reasonable steps to notify the contents of the statement to each individual to whom the information relates or is at risk of the breach in the method the entity normally communicates with the individual; and
- If individual notification is not practicable, publish a copy of the statement on the entity’s website (if any) and take reasonable steps to publicise the contents of the statement.
There are a number of exceptions to the notification requirements and obligations which include exceptions for small businesses, as the legislation covers most Australian Government agencies and all private sector and non-for-profit organisations with an annual turnover of more than AU$3M, and where an organisation has taken remedial action to address potential harm to individuals that may arise due to a relevant data breach before any serious harm is caused to individuals to whom the information relates. Other exceptions where the mandatory notification obligations will not apply cover law enforcement, commonwealth secrecy requirements, data breaches impacting multiple entities and declarations by the Commissioner.
Consequences of non-compliance
A breach of a mandatory notification requirement is deemed to be an ‘interference with the privacy of an individual’ and as a result, may amount to a breach of a civil penalty provision of the Privacy Act. This could result in an organisation being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $1.8 million.
Key aspects that organisations should keep in mind and plan for ahead of the new legislation include:
- Ensuring that personnel with management and privacy compliance responsibilities understand the operation and implications of the legislation and establish who should be the first point of call in the event of a data breach.
- Implement a formal data breach plan. As the 30-day assessment period will begin as soon as an organisation discovers the data breach it is important to put procedures in place to manage compliance with the notification obligations.
- Ensuring adequate contractual provisions are in place to manage compliance with the notification obligations. If several different organisations are involved in the same breach, only one will need to notify the Information Commissioner. Organisations can avoid third parties providing details about the breach to the commissioner or customers by addressing this issue up front in a contract when considering outsourcing or making arrangements with others who hold personal information for the organisation.