Impact of New Mandatory Data Breach Notification Laws
Amendments to the Privacy Act 1988 (Cth) (Act) will require the mandatory reporting of “Eligible Data Breaches”. The principal change to the Act is the introduction of mandatory notification requirements in the event of a data breach.
The changes provide greater accountability and transparency with respect to the protection of our personal information and privacy.
Am I affected?
The amendments to the Act will not take effect until February 2018 (unless commenced on an earlier date by Proclamation) and will apply to organisations with existing obligations under the Act including:
- Commonwealth Public Sector Agencies;
- all companies and not for profit organisations with an annual turnover of $3M or more; and
- private health service providers, child care centres, private schools, businesses that sell personal information, credit reporting bodies and others who trade in personal information (regardless of annual turnover).
Organisations exempt from the requirement to issue breach notifications are:
- intelligence agencies;
- small businesses (less than $3M annual turnover unless captured by the third bullet point above); and
- law enforcement bodies where notification is likely to prejudice law enforcement activities.
If the Act applies to your organisation, then in the event of an Eligible Data Breach, the Office of the Australian Information Commissioner (OAIC) and the individual(s) affected must be notified where a reasonable person would conclude there to be a likely risk of serious harm.
Serious harm types could include: physical, psychological, emotional, financial or reputational. When making an assessment of the seriousness of harm the following factors are relevant:
- the kind of information compromised;
- whether a security measure was in place;
- the likelihood the security could be breached;
- the nature of potential harm; and/or
- any other relevant matter.
What is an Eligible Data Breach?
The requirements for an Eligible Data Breach are that:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
What amounts to “Personal Information”?
Personal information for the purposes of the Act is information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Certain personal information, such as Medicare or other health care details, driver’s licence, credit or debit card numbers, are likely to cause an individual harm if compromised.
Further, a combination of personal information, rather than a single piece of information, poses a greater threat to security. The permanency of the information is considered significant – for example, an individual’s place of birth, medical history and name is not able to be “re-issued” in the case of a breach.
There are a number of potential issues to consider, such as:
- How do you work out if there has been a data breach?
- How do you identify the exact data compromised and persons affected? If it is unclear, must you assume that all data has been compromised and all customers must be notified?
- Do you err on the side of caution when assessing whether risk is “likely” and the harm could be “serious”? If yes, are you obliged to use strong wording in your notifications, such that customer alarm and fallout is maximised?
What if I suspect a breach?
Entities are required to conduct an assessment if there is a suspected breach, taking all reasonable steps necessary to ensure the assessment is completed within 30 days of the entity becoming aware of the suspicion. If it is found that a breach has occurred, entities should ensure that the OAIC and the affected individual(s) are notified. The notification must include:
- a description of the serious data breach;
- a list of the personal information disclosed;
- contact details of the entity so that affected individuals can obtain assistance; and
- recommended steps that individuals should take in response.
Guidance as to reasonable steps can be found here on the OAIC website. It includes, but is not limited to, such actions as: performing Privacy Impact Assessments, creating and maintaining privacy and security policies, developing a data breach response plan, ensuring that IT software and security is comprehensive, up to date and monitored and obtaining insurance specific to cyber security risks.
Other measures worth considering are:
- minimising the amount of personal information your organisation holds;
- where possible, encrypting or anonymising personal information;
- segregating personal information to limit exposure in the event of a breach;
- ensuring your system allows you to adequately identify data breaches and compromised data; and
- considering options to limit your liability for loss arising from data breaches.
Under the new regime, where a number of people are affected by the breach they may bring a class action against an entity.
Where there has been a failure to declare a Notifiable Data Breach, interference with the privacy of individuals will be deemed to have occurred, enlivening the Commissioner’s power to investigate, make determinations and provide remedies. This may include a written direction to an entity to issue a data breach notification and/or civil penalties for serious and/or repeated interferences. Those penalties may amount to $360,000 for individuals and $1.8M for companies.
Other implications of a data breach include:
- Damage to reputation: an entity which fails to adequately protect personal information faces risk to its reputation from having to notify OAIC and those affected by the breach. Serious data breaches will quickly become public.
- Costs associated with investigation: engaging specialist IT and forensic experts will be expensive.
- Downtime: displacement of internal resources to attend to investigation, assessment, mandatory notification and customer liaison could have a serious adverse impact on your organisation’s productivity.
For the reasons set out above, it is important to ensure that your organisation is in a position to comply with the new laws when they come into operation. Fletcher Law can provide comprehensive legal advice in this regard. In this area, prevention is far preferable to attempting a cure.