A guide to the new data breach lawsFeb 2018 | Cyber Risk
By 23 February 2018 we will have new mandatory data breach reporting obligations under the Privacy Act 1988 (Cth) (Act). Here is a guide to what you need to know.
Who is captured?
Organisations (excluding state government entities) that:
- Have an annual turnover of over $3 million for the previous financial year and possess or control information that identifies an individual (personal information); or
- Hold a record containing a tax file number of an identifiable individual. An employer’s holding of current or former employees’ tax file numbers is exempt. An example of the application of the Act to holders of tax file numbers is an accounting practice advising individuals on tax matters.
Good to know: If an entity has disclosed personal information to an overseas recipient, they remain accountable for the personal information even though an eligible data breach may occur offshore. For example, a recruitment agency may share large volumes of data about its candidates using Dropbox. Dropbox stores the data on servers in the US.
What is an eligible data breach?
The notification obligation hinges on the concept of an ‘eligible data breach’. An ‘eligible data breach’ occurs if:
- There has been (or is likely to be) unauthorised access or disclosure of information; and
- A ‘reasonable person’ would conclude that the access or disclosure would ‘likely’ result in ‘serious harm’ to the affected individuals.
The test as to whether the serious harm is ‘likely’ is whether serious harm is more probable than not.
‘Serious harm’ is a pivotal concept and is not defined, but can include physical, psychological, emotional, reputational and financial harm. Relevant matters to be considered in ascertaining whether serious harm is likely to result include:
- The kinds of information affected. For example, a person’s date of birth is permanent and cannot be altered, whereas a password can easily be changed;
- The sensitivity of the information. For example, the Red Cross data breach involved the sexual history of its donors, which is clearly sensitive;
- Whether the information is encrypted. If so, its access or disclosure may be less likely to cause serious harm because it may not be decipherable; and
- The nature of the harm. For example, Medicare numbers and drivers license details can assist in identity theft, and credit card details can result in financial harm.
Good to know: The mere loss or disclosure of information does not trigger the operation of the Act. The central concept of ‘serious harm’ provides a threshold which is heavily dependent on the circumstances of a breach.
What is to be done in the event of an eligible data breach?
There are two courses of action an organisation can take depending upon whether an eligible data breach is suspected or believed to have taken place.
In short, suspicion requires assessment and belief requires notification.
If an organisation has ‘reasonable grounds’ to suspect an eligible data breach, it must:
- Complete a ‘reasonable and expeditious’ assessment of whether an eligible data breach has occurred; and
- Take ‘all reasonable steps’ to complete the ‘reasonable and expeditious’ assessment within 30 days of the date it first becomes aware of the reasonable grounds.
Good to know: The 30 day deadline is not a ‘hard’ deadline. Whether an organisation has breached the assessment requirement will depend on the circumstances and the complexity of the suspected data breach.
If the assessment does not reveal a breach, no further action is required. If the assessment leads to a ‘belief’ that an eligible data breach has taken place, the organisation must take further steps.
If an organisation has ‘reasonable grounds’ to believe an eligible data breach has occurred, it must:
- Notify the contents of a ‘statement’ (Statement):
- To the Information Commissioner as soon as practicable after becoming aware of the suspected eligible data breach; and
- To the individuals about whom the relevant information relates, or those who are at risk from the eligible data breach, as soon as practicable after completion of the Statement.
Good to know: If there is a large cohort that has been affected by the data breach and ascertaining the at-risk individuals would be disproportionately time-consuming, the organisation can provide a blanket notification to all individuals to whom the information relates regardless of whether they are ‘at-risk’. If notification of all affected individuals directly is not practicable, the organisation can publish a copy of the Statement on their website or otherwise publicise the contents of the Statement. Alternatively, it can provide notification to only the at-risk individuals.
The Statement is to contain the following information:
- The identity of the organisation and relevant contact details;
- A description of the data breach;
- Details of the kinds of information concerned;
- Recommendations about the steps that affected individuals should take in response to the eligible data breach - for example, request a credit report; and
- The details of any other entities which were also subject to the eligible data breach - for example where a data outsourcing service is used.
An eligible data breach is deemed not to have occurred if the organisation takes remedial action so that a reasonable person is able to conclude that serious harm is not likely to result from the loss or disclosure of information.
For example, serious harm is unlikely to result where:
- An email is mistakenly sent to the wrong recipient, who credibly undertakes to delete the email; or
- A lost device such as a laptop containing personal information can be erased remotely before the data is accessed.
Consequences of a failure to comply
The Information Commissioner’s powers if an organisation fails to comply with the mandatory data breach reporting obligations are the same as those presently available for failing to comply with the Act. These include:
- Declaring sanctions such as public apologies;
- Investigative powers, including the power to enter premises or compel the provision of information;
- Conduct of a hearing, including examination of witnesses;
- Seeking enforceable undertakings, such as updating security systems on a regular basis or obtaining an independent review of a party’s dealings with third party providers;
- Making determinations including declarations that a complainant is entitled to compensation for loss or damage;
- Applying to the Federal Court for an order for penalty of up to $2.1 million for an organisation for serious or repeated interferences with privacy.
An affected individual may complain to the Information Commissioner within 12 months of becoming aware of the interference. Such complaints can result in an investigation by the Information Commissioner, resulting in conciliation, compulsory conference or a determination which can be enforced by court proceedings in the Federal Court.
Good to know: There is the potential for class actions, with representative complaints able to be made by one individual on behalf of two or more affected individuals.
While the Act is perceived as having a far-reaching impact, it contains a number of mechanisms which limit its operation, including:
- The application to entities with an annual turnover of $3 million;
- A test of ‘reasonableness’ and ‘likelihood’ for various triggers; and
- A requirement of ‘serious harm’.
The costs that organisations may incur could arise out of:
- Investigation costs;
- Notification costs, both to the Information Commissioner and the affected individuals;
- Costs in co-operating with an investigation by the Information Commissioner;
- Compensation of affected individuals; and
- Civil penalties for serious and repeated infractions.
What should you be doing?
If your organisation is subject to the Act, it is likely you have already taken steps to ensure your organisation is in a position to comply with the new regime. However, we recommend sitting down with your IT team and other key members of staff to:
- Identify the types of data your organisation holds which might result in an eligible data breach;
- Consider what protections are in place for that data and whether your organisation needs to hold it at all;
- Implement a data breach response plan, such as the example plan on the website of the Office of the Australian Information Commissioner;
- Ensure your staff are adequately trained to implement the data breach response plan; and
- Consider how your organisation’s present insurance coverage responds to cyber events and whether obtaining specialised cyber risk insurance coverage is necessary.
This article may provide CPD/CLE/CIP points through your relevant industry organisation.