Privacy law update – data breaches must now be notified
It is time to review your cyber security posture
Australia’s federal privacy laws are set for their most significant amendment since the introduction of the Australian Privacy Principles in 2012.
On Monday, Parliament passed the Privacy Amendments (Notifiable Data Breaches) Bill 2016 (the Bill), which will make it mandatory for entities regulated by the Privacy Act to notify of any data breach that is likely to result in serious harm.
These amendments have been a long time coming. They were originally recommended as part of the Australian Law Reform Committee’s 2008 report on Australia’s privacy laws, and then were proposed as part of the legislative package of changes in 2015 that required telecommunications providers to store metadata.
The passing of the bill is good news for individuals, as it dramatically improves the transparency around data breaches that have a likelihood of serious harm. Until now, the voluntary nature of data breach notification laws has meant that only a fraction of all breaches have been notified, making it more difficult for individuals to take basic self-help steps in response to a breach, like changing their passwords.
Of course, this means that affected entities must have in place measures to deal with these new obligations.
The good news is that there is a 12-month grace period in which to prepare. During this time, the focus should not only be on what processes are required in order to notify if required, but also to take steps to ensure that security and processes are optimised so that the chance of a breach is reduced to begin with. This is the best way to avoid the procedural, reputational and potentially financial consequences of a breach.
The amendments require notification where there has been an ‘eligible data breach’. This occurs where there is either unauthorised access to, or disclosure of, personal information (including some deemed forms of personal information), or loss of information that is likely to lead to unauthorised access or disclosure (breach), and that breach would lead a reasonable person to conclude that it is likely to result in serious harm to the affected individuals. Harm can take many forms, including physical, emotional, reputational or financial.
The duty to notify is not absolute, however. There are some exceptions. The first is in the definition of ‘eligible data breach’ itself. While there is a degree of objectivity, there will clearly be the need to make an assessment about the likely seriousness of any breach. There is a non-exhaustive list of matters to consider in this regard, but if there is no likely risk of serious harm, then no notification is required.
If a party suspects there has been a breach but does not yet have grounds to believe it has occurred, it must conduct an assessment rather than immediately notifying. Typically, it is expected this assessment should occur within 30 days.
Further, if there has been a breach, but the party has taken steps to remove the effect of the breach before harm occurs (for instance, because a lost device can be remotely wiped), then the breach need not be notified.
Also, if there are multiple parties involved in a breach – for instance, through an outsourcing or cloud arrangement – only one party needs to make the notification.
Finally, there are some exceptions for law enforcement and government agencies.
If you do have to notify, then there are issues of timing and form that must be addressed. You must prepare a notice that covers specified matters, and provide it to the Australian Information Commissioner (the Commissioner) as soon as reasonably practicable. That is a variable time frame that will depend on the particular circumstances, and it may be that we receive guidance from the Commissioner in due course about what is expected.
The notice must contain:
- the identity and contact details of your business
- a description of the breach
- the type of information that was disclosed, and
- recommendations about the steps individuals should take in response to the breach.
In addition to providing it to the Commissioner, you must also notify the affected individuals using the usual method of communication between you and the individual, and if you are unable to individually notify, publish the notice on your website and take reasonable steps to publicise the notification.
If you fail to comply with the new notification obligations, then the usual range of remedies under the Privacy Act are available, including investigation by the Commissioner, court-enforceable undertakings, orders for compensation, and penalties of up to $1.8 million.
What to do now
Clearly this new regime involves a significant changing of the privacy landscape. Businesses will be more publicly accountable for data breaches, and must be far more open with individuals in their communications about data breaches.
While to an extent this will inevitably lead to a ‘normalisation’ of breach notifications, this is cold comfort for anyone having to go through the notification process. It will be critical to be ready to deal with notification obligations swiftly and professionally, and so we recommend taking the next 12 months to put in place a data breach response plan to ensure the procedural aspects of notification and breach response are addressed. More importantly still, we also recommend recognising that prevention is better than cure, and taking the opportunity to review your cyber security posture generally to reduce the risk of a breach happening in the first place.
Our privacy experts can help you at every stage of the process.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.