Release of exposure draft of mandatory data breach notification laws

In brief

The Federal Government has taken the first step in fulfilling its promise to introduce a mandatory data breach notification scheme. Under an exposure draft of the proposed legislation companies will be required to notify the Office of the Australian Information Commission and affected individuals of serious data breaches. Companies will need to determine quickly whether a data breach has occurred and the costs associated with complying with this proposed legislation may be significant. Partner Michael Pattison, Senior Associate Alice Williams and Lawyer Leah Wickman report.

How does it affect you?

• Once the provisions in the exposure draft¹ become law, Australian companies will, for the first time, have an express obligation to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of a serious data breach with respect to the information that the company holds on those individuals.
• Companies will accordingly need to put in place processes that allow them to determine quickly when a data breach has occurred and whether they have a notification obligation with respect to that breach.
• Given the potential for adverse publicity as a result of notifying of a data breach, an indirect effect of the notification obligation is likely to be that organisations will have an additional incentive to protect the information that they hold about individuals.
• Experience overseas has shown that data breach notifications can result in litigation, including class actions, against a company. This might have consequences for how companies respond to data breaches (see Focus: Ashley Madison – litigation risks exposed) and increase the demand for cyber risk insurance in Australia
• The cost of notifying individuals of a data breach is likely to be significant. While the draft Regulation Impact Statement cites the average cost of notification at A$0.07 million (the average total cost of a data breach is A$2.82 million),² this is somewhat misleading as this is under the current non-mandatory notification scheme. In contrast, the average cost of notification in the US (where 47 of the 50 States have mandatory notification laws), is US$0.56 million (the average total cost of a data breach is US$6.5 million).³ These additional costs provide still further incentive for organisations to implement appropriate security measures to prevent the data breach occurring.
• The OAIC may use the information provided in these notices to consider investigating whether the organisation had complied with its obligation under Australian Privacy Principle 11 to take reasonable steps to protect the information that it holds. 
• Organisations operating in many different countries will find their response to data breaches complicated by the different standards and processes imposed by different countries on these issues.
• The exposure draft is open for public comment until 4 March 2016. The Government has indicated its intention to have the Bill introduced into Parliament in 2016. Under the exposure draft's terms, the notification requirements would then become effective no later than 12 months after the date that the Bill is passed.

Background

There is currently no express obligation in Australian law to notify the OAIC or affected individuals that data held on the individuals has been lost or the subject of unauthorised access. In that respect Australian law is different to the law of many other countries, including the UK and many of the US states, which do contain such an express notification obligation.

As reported in our previous Client Update: Data deal – mandatory data breach notification laws to be introduced as trade-off for controversial metadata retention regime, the Federal Government committed to enacting a mandatory data breach notification scheme before the end of 2015, as part of its introduction of metadata retention laws. Given the time of year, it has been obvious for some time that the law was not in fact likely to be introduced in 2015. However, the release of the exposure draft does increase the likelihood that the mandatory data obligation will become part of Australian law, probably in 2016 or 2017.

The Government has stated that it intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact.⁴ The Government has also stated that its intent is to amend the Privacy Act to deal with serious data breaches in a 'practical, effective way without placing an inappropriate regulatory burden on business'.⁵

Summary of the new obligation

The exposure draft inserts a new Part IIIC into the Privacy Act 'Notification of serious data breaches'. The new Part IIIC defines a 'serious data breach' as being:

• an unauthorised access to, or unauthorised disclosure of, information which 'will result in a real risk of serious harm' to any of the affected individuals;
• a loss of information which is 'likely' to result in unauthorised access to unauthorised disclosure of the information; or
• a loss of information which 'may' result in unauthorised access/disclosure of the information but only where the information is of a kind specified in the regulations. The EM suggests that the information to be specified in the regulations would include particularly sensitive information, such as health records.

'Harm' is broadly defined in the exposure draft to include psychological harm and emotional harm, as well as more usual examples of harm such as physical harm and financial harm. In determining whether there is a 'real risk of serious harm to an individual', the exposure draft provides that regard should be had to:

• the kind of information concerned;
• the sensitivity of the information;
• whether the information is in a form that is intelligible to an ordinary person;
• if information is not in an intelligible form, the likelihood that information could be converted into such a form;
• whether the information is protected by security measures;
• if the information is protected by security measures, the likelihood that those measures could be overcome;
• the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
• the nature of the harm; and
• if the entity has taken steps to mitigate the harm, the nature of the steps that have been taken and how likely those steps are to be successful.

Where there is a real risk of serious harm to any of the affected individuals, the company will have an obligation to notify the OAIC and the affected individuals of certain prescribed matters. Where the corporation is not practically able to notify the affected individuals, then the organisation must publish a copy of the prescribed matters on its website and take reasonable steps to publicise the contents of those statements.

The obligation to notify 'losses' of information even before there is any evidence that there has been unauthorised access/disclosure of the information could be problematic for organisations. They will have to assess internally whether the loss of the information has occurred is 'likely' to result in unauthorised access/disclosure.

As well as applying to organisations that hold personal information generally, the exposure draft refers expressly to the obligations applying to credit reporting bodies, credit providers and to the holders of tax file numbers. The obligations with respect to these three classes of entities apply in the same way as to holders of other types of personal information. Obviously, though, the potential for harm with respect to some of these categories of information is greater than for organisations that hold more general personal information.

Timing of notifications

The organisation must give the required notification 'as soon as practicable' after the organisation becomes aware of the data breach, or ought reasonably to have become so aware. The exposure draft effectively prescribes a maximum time of 30 days after the organisation becomes aware of the breach, or ought reasonably to have become so aware, in order to make the notification. However, in the past, the OAIC has been critical of delays as short as seven days,⁶ so the 30 days' period should be taken as a maximum period and not as the period that the OAIC is likely to require.

The fact that the time for calculating when the notification obligation arises can commence when the organisation 'ought reasonably to have been aware of the data breach' could be problematic. Many data breaches that occur today are sophisticated attacks which require some time to plan and to implement, often by way of first infiltrating an organisation's information technology systems and then over time downloading data from those systems. As well as implementing systems to protect their data in the first place, organisations will now have to ensure that they have systems to detect unauthorised access to the data that they hold, so that they can both prevent the data breaches occurring or continuing and also can comply with their obligations to notify the data breach as soon as practicable after the time that they ought to have been aware of the data breach occurring.

Disclosure by overseas entities

Many Australian businesses now use companies outside Australia to process some of their data, whether as part of a cloud computing or other arrangement. Australian Privacy Principle 8 requires organisations that are disclosing the information to a person who is outside Australia to take reasonable steps to ensure that the person does not breach the Australian Privacy Principles. Under the Draft, where Australian Privacy Principle 8 applied to a disclosure then the data breach notification obligations will continue to apply on the same basis as if the information were still held by the Australian entity.

The consequence will be that the Australian company will need to know when a data breach has occurred with respect to the information that it has disclosed to the overseas provider. This will have implications for the provisions that organisations need to include in their contracts with overseas information processors, including the inclusion of strict obligations to notify the Australian organisation whenever the overseas processor has reason to believe that there has been a security breach of the systems used to hold the organisation's data.

Further powers of OAIC

There are a number of additional powers given to the Commissioner in the exposure draft. These include the power to exempt entities from the notification obligation where the Commissioner is satisfied that it is in the public interest to do so. The Commissioner also has a power to direct an entity to notify individuals of a serious harm breach.

Many of the provisions in the exposure draft are expressed in general terms. In recognition of this, the Explanatory Memorandum provides that the Commissioner will issue guidance on particular aspects of the issues covered by the Bill, including expanding or updating the current guide on data breach notification.

Consequences of failure to comply

A failure to give notification is taken to be an interference with the privacy of an individual. As such, a failure will constitute a breach of the Privacy Act. In addition, if the failure amounts to a serious or repeated interference with the privacy of an individual, then the failure will contravene the civil penalty provision of the Privacy Act. That would then expose the organisation to a fine of 10,000 penalty units, being $1.8 million at today's figures.

Comparison with international regimes

The EU (including the UK) has mandatory data breach notification laws in place, as do 47 of the US states. The US also intends to introduce a federal scheme which would replace the existing state-based laws applying to the private sector.

The discussion paper issued with the draft Bill indicates that the proposed Australian scheme:

• has a relatively higher notification threshold than in many other jurisdictions;
• will be simpler than many actual or proposed schemes in other jurisdictions in that there is only one tier of notification, ie if there is a breach both the regulator and the individual should be notified; and
• will be as flexible as schemes in other jurisdictions which recognise that data breaches which involve encrypted information will not pose as large a threat to individuals as breaches relating to unencrypted information.

As indicated above, the proposed Australian threshold is higher in that there has to be a real risk of serious harm to an individual rather than the broader notification requirements of breaches in the EU and some US states.

In Australia, the notification requirements will apply to all personal information as defined in the Privacy Act, which is a very broad range of information. The EU provisions apply to personal data but the notification requirement only applies to providers of publicly available electronic communications services – so a narrower range of information than in Australia. Some US state's legislation relates to an individual's name with other data elements, eg social security number. Any combination of a user name or email address and access credentials will also qualify as personal information for the purposes of the notification legislation.