The Privacy Amendment (Notifiable Data Breaches) Bill 2016
was passed by the Australian parliament on 13 February 2017. Assuming that it receives royal assent within the coming days, it will become an Act (the Amendment Act
). The key amendments set out in the Amendment Act are likely to take effect 12 months after that, to give Commonwealth government agencies and private sector organisations time to prepare for compliance.
This article discusses the requirements of the Amendment Act, some practical cyber security measures you can put in place and the increasing need to have a well-considered Data Breach Response Plan in place.Requirement to notify if the breach is likely to result in serious harm
The Amendment Act amends the Privacy Act 1988
(the Privacy Act
) to introduce mandatory data breach notification requirements for Commonwealth government agencies, private sector organisations and specific other entities (including credit reporting bodies and recipients of tax file number information) that are regulated by the Privacy Act.
The threshold for notification is set higher than in most other jurisdictions: the test is based on whether the breach “is likely to result in serious harm"
to an affected individual.
Until the Amendment Act comes into effect, there is no mandatory requirement that an entity inform the Office of the Australian Information Commissioner (the OAIC
) or affected individuals following a data breach involving personal information, although the OAIC has encouraged notification where there is a "real risk of serious harm" to an affected individual.
Data breaches are not limited to malicious attacks, such as theft or hacking, but may arise from internal errors or failures to follow information-handling policies that cause accidental loss or disclosure. As technology advances, entities are storing vast amounts of personal information electronically. Australian Privacy Principle 11 in the Privacy Act requires entities that hold personal information to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store personal information. The OAIC predicts that based on comparisons with other jurisdictions, notifications under this mandatory scheme will nearly double to around 200 per year after the commencement of the Amendment Act.
What is an "eligible data breach"?
The Amendment Act states that essentially, an "eligible data breach" happens if:
- there is unauthorised access to or unauthorised disclosure of personal information; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Serious harm could include physical, psychological, emotional, economic or financial harm, as well as harm to reputation.
In determining whether serious harm is likely, various factors are to be taken into account including the types of personal information involved, whether the information is encrypted and the risk of any encryption being circumvented.What the changes mean for your business
We expect that it will be approximately 12 months before the new provisions take effect. Businesses and Commonwealth government entities should use that period to get ready.
From around mid-February 2018, if your business or agency is subject to the Privacy Act and suffers an eligible data breach, you will have to report the breach to the OAIC and to affected individuals as soon as practicable.The notification must contain:
- the identity and contact details of your business or agency;
- a description of the breach;
- the type of information that was disclosed; and
- recommendations about the steps individuals should take in response to the breach.
The notification to the individual may use the communication method you normally use to contact the individual (e.g. email, telephone, post).
If you are unable to notify each affected individual, you must publish a notification on your website (if any) and take reasonable steps to publicise the notification.
Consequences of not notifying an eligible data breach
If you fail to notify the OAIC and/or the affected individuals of a serious data breach, you will be taken to have interfered with the privacy of relevant individuals. You may in any event have interfered with their privacy if you did not take reasonable security measures to protect the personal information against unauthorised access or disclosure, under Australian Privacy Principle 11. As a result, the OAIC may for example require you to make a public apology and pay compensation to the affected individuals. A hefty civil penalty could also apply for serious or repeated non-compliance with mandatory notification requirements.
How you can protect your business from a serious data breach
One of the factors that will be taken into account when assessing whether an eligible data breach has occurred is whether the information was protected by one or more security measures. To protect your business and avoid serious data breaches you should consider:
The need for a Data Breach Response Plan
- Installing and maintaining a firewall to protect your data
- Using and regularly updating anti-virus software
- Encrypting transmissions of your data (particularly personal information) across open, public networks as well as encrypting the data "at rest" on your systems
- Restricting access to personal information on a business "need-to-know" basis
- Using best practice login ID and password requirements, including requiring complex passwords and regular changes of password
- Restricting physical access to your systems and also to hard copies of personal information
- Tracking and monitoring access to your computer systems
- Regularly testing your security systems and processes
- Maintaining a policy that addresses information security for employees and contractors
These changes to the law show the increasing importance regulators are placing on protecting individuals' privacy including the need to respond appropriately to a data breach.
In the "data age" it is becoming inevitable that all organisations will sooner or later experience a data breach. When that happens, you need to be ready to respond in the best possible way. For that purpose you need a Data Breach Response Plan.
We've written previously
about the need for a Data Breach Response Plan and what should be included in it. The aim is to be clear about who is responsible for managing your response to a breach and to provide them with clear practical checklists and tools to use. You do not want to spend the first hours after a serious breach occurs, scrambling to contact senior executives and deciding ad hoc about who is going to do what in response. A good Data Breach Response Plan will include amongst other things:
- A list of Response Team members and their contact details, including outside office hours.
- Clear responsibilities for things like investigating the breach, putting immediate risk mitigations in place and communicating with affected individuals, regulators and the media.
- Detailed checklists to work through, for assessing the risks associated with the data breach and for implementing changes to reduce the risk of further breaches.
- Template documents for notifying affected individuals and the OAIC and for publication on your website. This can save considerable time and will help you discharge your obligation to notify (where legally required) as soon as practicable.
A changing legal landscape
As technology changes, and more and more data about individuals is collected and aggregated, the regulatory regime in relation to privacy and cyber security will remain dynamic. Possible future changes may include the introduction of a legislated tort of "serious invasion of privacy" and a right for individuals to be "forgotten" by data holders.
If you'd like our assistance with getting your Data Breach Response Plan into place, or would like to know more about the changes to the law, please let us know.