Australian entities that hold personal information about individuals will soon be required to notify those individuals if that information is compromised. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”) has recently passed both houses of Parliament, has received Royal Assent and will be introduced into Australian law on 23 February 2018. It is hoped that the new reporting requirements are a step forward in the fight to protect personal information.
The Bill shows the growing importance of data protection in the face of cyber threats, and follows the 2015 release of ASIC’s Cyber Resilience: Health Check Report. The report highlighted the importance of preparedness against cyber attacks.
What is the purpose of the Data Breach Bill?
Cyber security and the protection of personal information has been a growing concern globally for a number of years. Cyber attacks to obtain, use and disclose the private information of individuals are continuing to increase, in both number and severity. Unauthorised access to personal information is particularly damaging where the individual is unaware that a breach has occurred and therefore cannot take steps to minimise its impact.
The purpose of the Bill is to impose mandatory reporting provisions on entities that are currently regulated by the Privacy Act 1988. The reporting provisions create a legal requirement for entities to notify both the individual(s) affected and the Office of the Australian Information Commissioner (OAIC) where they have reasonable grounds to believe there has been an eligible breach of personal information.
It is intended that the data breach reporting requirement will allow individuals whose personal information has been compromised the opportunity to take proactive steps to protect their interests. It is also hoped that the requirement, and the potential implications for an entity’s reputation or standing, will encourage the relevant entities to treat the protection of their client’s personal information as a priority.
What is an eligible data breach and when does a reporting obligation arise?
A data breach is an eligible data breach in the context of reporting obligations where;
- There has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure; and
- A reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Whether the effect of the breach constitutes serious harm will require an assessment of particular circumstances. Parliament has identified severe physical, psychological, emotional, economic and financial harm, along with serious harm to reputation as examples of where serious harm may occur. However some entities have already raised concerns about the ambiguity of this assessment threshold. It is likely that this will need to be tested to a degree before the Judiciary before the reporting mandate is clear.
In a circumstance where an entity suspects but does not have reasonable grounds to believe that an eligible data breach has occurred the entity must, within 30 days, carry out “a reasonable and expeditious assessment of whether the relevant circumstances constitute an eligible data breach of the entity”.
The entity must, where practicable, notify the contents of the statement to
- Each individual to whom the personal information relates; and
- Each individual considered to be at risk from the eligible data breach;
using the method it would usually employ to communicate with the individual.
If it is not practicable to notify the individuals using the above method, the entity must attempt to do so by publishing the statement on the entity’s website and take any other reasonable steps necessary to publicise the details of the breach to ensure those affected are notified.
There are a number of exceptions to the reporting requirement under the Bill. One exception is where the entity has taken remedial steps to mitigate the breach, before any serious harm has occurred. The entity will not be required to notify the individual(s) concerned or the OAIC where, as a result of that remedial action a reasonable person would conclude that the unauthorised access or unauthorised disclosure is unlikely to result in serious harm to them.
Consequences for failure to comply
Where an entity has reasonable grounds to believe that a data breach has occurred and fails to meet their reporting obligations, this will be considered an interference with the privacy of an individual for the purposes of the Privacy Act. In such a situation the OAIC will be able to invoke their existing powers to investigate, make determinations and provide remedies in relation to suspected non-compliance.
The Implications for AFSL holders
ASIC has in recent times highlighted the importance of an AFSL holder being vigilant about the protection of their client’s data. It is a critical part of an AFSL holder’s obligations to have considered the risks to their business and clients from cyber threats and identified any weaknesses or areas of particular concern in the current business structure. This may include an audit of IT and data protections by a specialist firm.
Once clear about the cyber risks it faces the AFSL holder needs to take steps to be resilient to cyber attacks. This will include developing a response plan, and in some circumstances the implementation of stronger protection software and IT systems. The AFSL holder’s response plan for a data breach should include, to the extent possible, the information and mitigation advice to be given to clients if a data breach occurs as well as information on how that information will be disseminated. The more quickly the client receives this information, the better likelihood the client’s steps in mitigation will be effective against the breach.
ASIC is clear that an AFSL holder’s ability to respond to, mitigate and recover from a cyber attack will hinge on plans put in place by the AFSL holder before such an attack occurs.
Where to from here?
While the reporting requirement is a step in the right direction some industry groups do not believe it goes far enough to protect client privacy. Issues that have been raised in respect of the data breach laws include; that the obligation only applies to limited types of entities, the high threshold for determining ‘serious harm’ and the exceptions that apply to the obligation. Time will tell whether the data breach laws are effective in their current form.
This article only summarises the Bill and its requirements.
Please contact us for a more detailed discussion about whether the reporting requirements apply to you, and what your obligations may be.