On 22 February 2018, data breach notification laws will commence in Australia. This will have a significant effect on how many companies react to data breaches in Australia. It is also already changing the extent to which companies are preparing for data breaches.
This is significant for all businesses that carry on business in Australia, whether or not they are Australia-based.
The current state of play
At the moment, mandatory breach notification in Australia is restricted to particular data sets and circumstances. In particular, the My Health Records Act 2012 (Cth) requires notification of certain data breaches: section 75.
The Australian regulator, the Office of the Australian Information Commissioner, encourages data breach reporting, but does not require it. This has resulted in many organisations choosing to notify data breaches to the Office of the Australian Information Commissioner and to affected individuals.
However, anecdotal evidence suggests that many other organisations, and particularly medium-sized businesses, choose not to report them. Decision makers can decide not to disclose in the hope that the breach (and also their decision not to disclose it) does not later become public, or breaches can be handled by IT personnel who focus on technical rather than broader compliance issues.
Such an approach can be dangerous, even under existing laws. A considered approach needs to be taken in every case.
For example, whilst Australian privacy laws do not currently require notification of the Information Commissioner or of Individuals, there are other laws which sometimes require that steps be taken. For example, in the state of New South Wales, it is a crime which can attract up to 2 years' imprisonment for a person who knows or believes that a serious indictable offence has been committed and that he or she has information which might be of material assistance in securing the apprehension, prosecution or conviction of the offender to fail without reasonable excuse to bring that information to the attention of a member of the Police Force or another appropriate authority: s 316 Crimes Act 1900 (NSW). A variety of cyber attacks including unauthorised access and crypt-locker attacks can constitute serious indictable offences: see Part 6 of the Crimes Act 1900. In addition, highly regulated entities such as banks and insurers can risk putting their regulators off-side if they do not handle data breaches in accordance with their expectations and any applicable policies.
In addition, organisations which fail to notify individuals of a data breach risk possible liability under existing laws. For example, Australian Privacy Principle 11 requires entities to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Office of the Australian Information Commissioner considers preparation of a data breach response plan which includes notification of affected individuals to be a "reasonable step" for the purpose of that obligation. In addition, failure to notify individuals of a breach will potentially increase the harm the individuals suffer (eg. by way of fraud which the perpetrator commits using the information) and thus the extent of the relief likely to be awarded to them if it is later found that the breach occurred as a result of a breach of Australian Privacy Principle 11. It is also possible that the individuals will be able to sue in negligence for the failure to notify though no precedent has yet been established under Australian law.
The reputational effect of a decision to notify or not to notify, and of what to say, are also significant. The Commonwealth Bank has published a report on the effect of data breach reporting on share prices. It found that on average share prices of companies that reported a data breach underperformed against the broader stock market by 2 to 4% in the following 100 days. It also noted that many companies' prices were unaffected, and that factors affecting the impact include the type and magnitude of the data loss, what the market infers about the company's security capability at the time of the breach, and the company's confidence when communicating how it will remediate customer impacts: see Reporting Data Breaches – the Impact on Share Prices at https://www.commbank.com.au/guidance/business/reporting-data-breaches–-the-impact-on-share-prices-201706.html. A good data breach response plan may assist in minimising the impact on share price by conveying the capability and confidence that the market seeks.
The new provisions
The new provisions will introduce new data breach reporting obligations which will apply to all entities regulated under the Privacy Act 1988 (Cth). The Privacy Act bind private sector organisations (most businesses with turnover above $3m per year) and Commonwealth Government agencies.
They are expected to significantly increase the extent of data breach reporting in Australia.
What counts as an eligible data breach?
Under the new provisions, an eligible data breach will occur where (s 26WE):
- there is unauthorised access to or disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; or
- information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any of the individuals to whom that information relates.
Whether a reasonable person would conclude that a person was likely to suffer serious harm as a result of the breach depends upon a broad range of factors including the nature, sensitivity and protection-level of the information (s 26WG).
What will affected entities be required to do?
The new legislation places various obligations on entities in response to an eligible breach. These include:
- Assessing whether there are reasonable grounds to believe an eligible data breach has occurred within 30 days of developing a suspicion of such a breach (s 26WH);
- Once an entity has reasonable grounds to believe there has been an eligible data breach, preparing a statement setting out the contact details of the entity, the nature of the breach and steps it recommends affected individuals take in response (s 26WK). A copy must also be provided to the OAIC; and
- Taking such steps as are reasonable in the circumstances to notify affected and at risk individuals of the contents of the statement as soon as is practicable. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents (s 26WL).
The OAIC may also direct an entity to notify affected individuals if it becomes aware that there are reasonable grounds to believe that the entity has suffered an eligible data breach (s 26WR).
What are the consequences of non-compliance?
If an entity fails to comply with the new legislation the consequences are, in effect, the same as if the entity had failed to comply with the Australian Privacy Principles. In summary, the main consequences are the risk of a determination to pay compensation (and court proceedings by the OAIC for the payment of compensation if the entity does not comply) and also the risk of paying civil penalties of an amount up to $1.8 million in the case of corporations.
Entities that do not take appropriate steps to notify will also face the other possible consequences which exist under current laws outlined above.
What steps should be taken now to prepare?
In order to comply with the new law, and with existing laws, organisations should ensure that they have data breach response plans in place, and people who are ready and able to implement them at short notice.
Preparation of a plan, and responding to a breach, requires input from legal, information technology, PR and business experts. It is also important to understand your insurance position. Every company should consider the specific issues that might arise in its particular circumstances, including any regulatory considerations specific to its sector and in each jurisdiction in which it operates.
Plans should include details of which experts and business stakeholders to draw upon them including their after hours contact details. Best practice also includes equipping those experts with sufficient knowledge of systems, the business, and likely scenarios to enable them to work quickly as a team if the worst occurs.
Every business hopes that through good security and training it will avoid being the subject of a major data breach.
The new Australian data breach notification laws provide further reason for entities which carry on business in Australia to put in place measures not only to prevent data breaches, but also to enable those businesses to respond quickly and effectively to any data breaches that do occur.