Following a period of industry consultation, the Federal Government has introduced updated legislation that will introduce a mandatory data breach notification scheme. The new Bill will amend the Privacy Act 1988 (Cth) when it comes into force and will apply to all Australian companies currently subject to the Privacy Act. Partner Gavin Smith, Senior Associate Alice Williams, Associate Tom Griffin and Lawyer Leah Wickman report.
How does it affect you?
- Once the provisions in the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) become law, Australian companies will, for the first time, have an express obligation to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an 'eligible data breach' with respect to the information that the company holds on those individuals (subject to the qualifications and exemptions set out below).
- Companies will accordingly need to put in place processes that allow them to determine quickly when a data breach has occurred, whether the data breach is an 'eligible data breach' under the Bill and whether they have a notification obligation with respect to that breach.
- Given the potential for adverse publicity as a result of notifying a data breach, an indirect effect of the notification obligation is likely to be that organisations will have an additional incentive to protect the information that they hold about individuals.
- As we reported in our December 2015 article, the draft Regulation Impact Statement cited the average cost of notification at A$0.07 million (the average total cost of a data breach is A$2.82 million),1 under the current non-mandatory notification scheme. In contrast, the reported average cost of breach notification in the United States is US$0.56 million (the average total cost of a data breach is US$6.5 million).2 It remains to be seen what the costs associated with the new mandatory data breach notification regime are, however we expect that any additional costs are likely to be significant enough to further encourage organisations to implement appropriate security measures to prevent a data breach occurring.
- The OAIC may use the information provided in these notices to consider investigating whether the organisation had complied with its obligation under Australian Privacy Principle 11 to take reasonable steps to protect the information that it holds.
- Multinational organisations will find their response to data breaches complicated by the different standards and processes imposed by different countries on these issues.
- This article is an update to our Focus: Release of exposure draft of mandatory data breach notification laws published in December 2015. We comment below on where the updated bill differs from the exposure draft following the industry consultation.
At the end of 2015, and as reported in our Focus: Release of exposure draft of mandatory data breach notification laws, the Government released an exposure draft of proposed legislation to enact the mandatory data breach notification scheme. The Government consulted extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact.3 The Bill has been tabled following that consultation.
Eligible data breach
The exposure draft of the Bill referred to a 'serious data breach' but, following consultation, this has now been amended to an 'eligible data breach'. In addition to this terminology change, the definition has changed in the Bill. The exposure draft referred to a '…a real risk of serious harm…' whereas the Bill now refers to what a 'reasonable person' would conclude is 'likely' to result in serious harm to an individual. This change removes the uncertainty of what would be considered a 'real' risk.
The Bill inserts a new Part IIIC into the Privacy Act 'Notification of eligible data breaches'. The new Part IIIC defines an 'eligible data breach' as being:
- an unauthorised access to, or unauthorised disclosure of, information which a reasonable person would conclude would be likely to result in serious harm to any of the affected individuals; or
- a loss of information in circumstances which are likely to result in unauthorised access to, or unauthorised disclosure of, the information and, if such unauthorised access or disclosure were to occur, a reasonable person would conclude that such access or disclosure would be likely to result in serious harm to any of the affected individuals.
There was scope in the exposure draft for a 'serious data breach' to be taken to have occurred if any of the information affected was of a kind specified in regulations. This would have applied regardless of the associated risks following access to or loss of that information, and would have engaged the notification requirements and other obligations resulting from a 'serious data breach'. This general obligation has been removed from the Bill.
Remedial action exception
A key update to the Bill since the exposure draft is the introduction of a 'remedial action' exception. Where:
- a person to whom the Part applies takes action in relation to loss of information, or unauthorised access or disclosure;
- before the access or disclosure results in any serious harm to affected individuals; and
- as a result of the action, a reasonable person would conclude that the loss of information, or unauthorised access or disclosure would not be likely to result in serious harm to the affected individuals,
then the unauthorised access or disclosure is not, and is taken never to have been, an eligible data breach.
The exposure draft specified particular types of 'harm' (eg psychological harm and emotional harm) in the definition of serious harm. In the Bill, a more objective test is applied and guidance given to determine whether a 'reasonable person' would conclude that unauthorised access or disclosure is likely to result in serious harm. The Bill provides that regard should be had to various circumstances, including:
- the kind of information concerned;
- whether the information is protected by security measures and, if so the likelihood that those measures could be overcome;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
- the nature of the harm.
In the exposure draft there was reference to having regard to information not being in a form that is intelligible to an ordinary person when assessing whether unauthorised access or disclosure would result in serious harm. This vague reference has been removed from the Bill and further detail added to what should be considered.
If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, as soon as practicable after the entity becomes aware, it must give a copy of a statement setting out the following to the OAIC:
- the identity and contact details of the entity;
- a description of the data breach that the entity has reasonable grounds to believe has happened;
- the kind or kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the data breach.
As soon as practicable after the completion of the statement referred to above, and if it is practicable, the entity must notify the contents of the statement to any individuals affected by the eligible data breach or any individuals at risk from the eligible data breach.
Where the entity is not practically able to notify the affected individuals then the entity must publish a copy of the prescribed matters on its website and take reasonable steps to publicise the contents of those statements.
If an entity complies with the notification above and the access, disclosure or loss of information would be an eligible data breach of one or more other entities, those other entities are not required to notify. This would apply in circumstances where one or more entities hold the same piece of information. There would need to be agreement between these entities as to which party would be responsible for complying with the relevant notification requirements.
The Bill also includes provisions permitting the OAIC to make a declaration by way of written notice to the entity affected by an eligible data breach that the entity is or is not required to make a statement notifying affected individuals of the data breach.
These declarations can be made on the OAIC's own initiative or through an application made by the entity to the OAIC. The Bill sets out further details of these applications and the considerations of the OAIC.
The OAIC may also direct an entity to make notifications to affected individuals.
The exposure draft prescribed a maximum time of 30 days after the entity becomes aware of the breach, or ought reasonably to have become so aware, in order to make the notification. This has changed in the Bill and the entity must now carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity. The entity must take all reasonable steps to ensure that the assessment is completed within 30 days of the entity becoming aware of the eligible data breach.
The position on Australian businesses that use companies outside Australia to process some of their personal information, whether as part of a cloud computing or other arrangement, and deemed to be the holders of the relevant personal information, has not changed in the Bill. Australian Privacy Principle 8 requires organisations that are disclosing the information to a person who is outside Australia to take reasonable steps to ensure that the person does not breach the Australian Privacy Principles. Under the Draft, where Australian Privacy Principle 8 applied to a disclosure then the data breach notification obligations will continue to apply on the same basis as if the information were still held by the Australian entity.
The consequence will be that an Australian company will need to know when a data breach has occurred with respect to the information that it has disclosed to an overseas provider. This will have implications for the provisions that organisations need to include in their contracts with overseas information processors, including the inclusion of strict obligations to notify the Australian organisation whenever the overseas processor has reason to believe that there has been a security breach of the systems used to hold the organisation's data.
A failure to give notification is taken to be an interference with the privacy of an individual. As such, a failure will constitute a breach of the Privacy Act. In addition, if the failure amounts to a serious or repeated interference with the privacy of an individual, then the failure will contravene the civil penalty provision of the Privacy Act. That would then expose the organisation to a fine of 10,000 penalty units, being $1.8 million as at today's figures.
For convenience, we have restated the high level comparison with international regimes from our earlier article. The EU (including the UK) has mandatory data breach notification laws in place, as do 47 of the US States. The US also intends to introduce a federal scheme which would replace the existing state-based laws applying to the private sector.
The discussion paper issued with the exposure draft indicated that the proposed Australian scheme:
- has a relatively higher notification threshold than in many other jurisdictions;
- will be simpler than many actual or proposed schemes in other jurisdictions in that there is only one-tier of notification, ie if there is a breach both the regulator and the individual should be notified; and
- will be as flexible as schemes in other jurisdictions which recognise that data breaches which involve encrypted information will not pose as large a threat to individuals as breaches relating to unencrypted information.
As indicated above, the proposed Australian threshold is higher in that there has to be a real risk of serious harm to an individual rather than the broader notification requirements of breaches in the EU and some US States.
In Australia, the notification requirements will apply to all personal information as defined in the Privacy Act, which is a very broad range of information. The EU provisions apply to personal data but the notification requirement only applies to providers of publicly available electronic communications services – so a narrower range of information than in Australia. Some US State's legislation relates to an individual's name with other data elements, eg social security number. Any combination of a user name or email address and access credentials will also qualify as personal information for the purposes of the notification legislation.
- Attorney-General, Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 - Regulation Impact Statement, 20 citing the Ponemon Institute Research Report, 2015 Cost of Data Breach Study: Australia.
- Ponemon Institute Research Report, 2015 Cost of Data Breach Study: United States, 2.
- Attorney-General, Consultation Opens on Serious Data Breach Notification Bill (Media Release).