New mandatory data breach notification laws take effect in Australia on 22 February 2018. This latest legislation seeks to protect consumers’ personal information, it requires that public agencies and private organisations, report all eligible data breaches to the affected individuals and the Privacy Commissioner. An eligible data breach occurs when there is unauthorised access to, exposure or loss of personal information held by an agency or organisation, which is likely to cause serious harm to those individuals. As yet, there is no definite measure of serious harm. However, we may consider serious harm to include physical, financial, and reputational damage, as well as adverse emotional or psychological impact.
This mandatory notification applies to all public and private entities that are governed by the existing Privacy Act, which includes organisations that have an annual turnover exceeding $3 million. Mandatory reporting also applies to those companies that make under $3 million and are in the business of handling personally identifiable information (PII) such as names, social security numbers, personal contact and credit information, as well as health and financial records. If an organisation is related to another that is governed by the Privacy Act, then that organisation is also subject to the mandatory data breach notification requirement.
Current State of Preparedness
Although the Privacy Amendment (Notifiable Data Breaches) Bill of 2016 had established the upcoming mandatory reporting requirement, there is some unpreparedness among organisations-especially small businesses. According to a recent survey, 44% of Australian businesses reported that they were not ready for the mandatory notification requirements. This may have resulted from a mistaken belief that small firms would not be subject to the new legislation. It may also be the case that information security has long been viewed as the domain of IT professionals, and so sufficient attention has not been directed to this aspect of business operations. However, given our growing digital economy with increasing cyber threats, it is becoming clear that the usual risk management framework must now also consider the mitigation of cyber risks.
The Process of Mandatory Data Breach Notification
If an organisation suspects that it may have been subject to unauthorised access, disclosure or loss of personal information, that may cause serious harm to any of its stakeholders, then it has 30 days to investigate and conclude whether or not an eligible data breach occurred. However it may not be prudent to wait an entire month before deciding on the eligibility of a data breach. The factors to consider when an organisation needs to determine if an eligible data breach has occurred include:
- the type and sensitivity of the information in question;
- whether or not steps were taken to protect the information (for example, data encryption)
- how likely it is for the protection measure to be breached (such as the encryption being cracked) and the information revealed;
- the scope of the potential serious harm to affected individuals; and
- any other relevant factors.
In the case of an eligible data breach, the company must prepare a formal statement for the Privacy Commissioner and each of the affected parties. This statement must include details on the nature of the data breach, and the remedial actions to protect those adversely affected. In cases where it may not be possible to inform every affected individual, then the statement must be published on the company’s website. We recommend that legal counsel be obtained in the unfortunate event of a data breach, so that the organisation can be sure that all aspects of the mandatory notification requirement are met.
Failure to report eligible data breaches will be costly in several ways. The Privacy Commissioner is empowered to apply fines in cases of non-compliance with the mandatory notification requirement. Individuals (such as sole traders and general partners) may face fines of up to $360,000, while corporate organisations may have to pay fines up to $1.8 million.
However the consequences of non-compliance not only originate from the Privacy Commissioner. The Privacy Act enables an individual to make a representative complaint (on behalf of several affected parties) directly to the Privacy Commissioner. There is also the possibility of class actions being initiated in the wake of a data breach. Another pressing concern is the loss of consumer and investor trust. This goodwill is vital for a company’s success, and non-compliance may be perceived as a lack of trustworthiness, which may then have greater adverse effects on the organisation in question.
We recommend a two-pronged approach of both prevention and corrective measures to ensure full compliance with the new mandatory data breach notification law.
The mandatory notification requirement means that organisations need to establish robust information security systems, or review their existing systems in light of this new legislation. Information security covers all the cyber-safe policies and procedures governing the collection, storage and retrieval of personal data. However companies will need to do more than merely install commercial security software. The latest data-stealing malware are being delivered via email, which means that users at all levels of an organisation need to be trained to navigate and actively support the information security framework. Small businesses may need to outsource certain security needs to IT vendors. Therefore it is also important that all vendors are employing the latest cyber security innovations and are ready to quickly comply with any requests for updates and formal reports.
In the event of an eligible data breach, it is useful to have a set of templates and procedures on hand. It is vital to have a detailed incident response plan which includes an organisation’s breach assessment criteria, templates to notify affected parties and the Privacy Commissioner, and procedures to implement remedial measures. We recommend that any incident response plan be tested with all members of an organisation and external vendors, so that each person is aware of their role in responding to any possible data breaches. We further recommend that all organisations obtain legal counsel to ensure that all elements of the mandatory notification requirement are conducted appropriately.
The mandatory data breach notification law will definitely alter the way in which businesses operate within Australia. Other countries such as the USA, Germany, Canada and the UK already have such legislation in place, so successful adaptation to these new requirement have already proven possible. We urge all Australian organisations to become familiar with their new legal obligations, to access all of the available resources and services, for both information security and notification support.