By Laura Tatchell, Associate
After years of lobbying, law reform recommendations and government promises the Australian government has released a draft bill entitled Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. The controversial bill imposes mandatory serious data breach notification obligations on entities governed by the Privacy Act includes businesses with a turnover of more than $3 million, government agencies and private health service providers.
The risk of data breaches and the vulnerabilities of businesses have skyrocketed as a result of the explosion of globalised, online business, vast data storage and increased social interactions and transactions in the online realm. The new laws aim to grant individuals greater awareness and power in circumstances where their personal information has been leaked. These individuals can then take appropriate steps to mitigate the risks and negative effects of the data breach. In addition to this, the laws aim to force transparency in how businesses identify and deal with serious data breaches.
Although the proposed new laws will only apply to entities with larger revenue, the public expects that all businesses will handle personal information properly. In cases where a small business is transacting or partnering with an organisation governed by the Privacy Act that organisation will expect the smaller business to match those standards. Accordingly, the relevance and impact of the proposed new laws is farreaching.
When does a data breach occur?
The Office of the Australian Information Commissioner (OAIC) states that a data breach occurs when “personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference”. The major and most damaging data breaches we often hear about are those caused by cyber-attacks from hackers. However, data breaches can also occur when data storage devices like laptops or thumb drives are lost, stolen or returned to rental companies without being erased, when employees get unauthorised access to databases, when paper from recycling or garbage bins is stolen and the more mundane situation of correspondence being posted to the wrong address.
The current position
Under the current Privacy laws, notification of data breaches to affected individuals and the OAIC is voluntary. However, it is probable that most data breaches occur without appropriate notification to individuals and the OAIC. Only 110 notifications occurred in 2014/15. By way of example:
- Adobe reported a cyberattack breaching the security of more than 38 million customers globally, including over 1.7 million Australians.
- Optus reported 3 separate data breaches compromising over 300,000 of its customers’ personal information.
- Kmart reported breaches of personal information via its’ online store.
Requirements under the new scheme
Under the new scheme, relevant entities will be obligated to report serious data breaches to the OAIC and affected individuals as soon as is practicable, but no later than 30 days from when the entity became aware of the breach, or when it ought reasonably to have become aware of the breach. If it is not practicable to notify each individual involved, the entity must publish a statement on their website and take reasonable steps to publicise the statement. The statement must provide the entity’s contact details, describe the breach, the type of personal information disclosed, the steps that the entity has taken or intends to take to mitigate harm and the steps the individual should take.
Serious data breaches which trigger the notification obligation will be those breaches that are deemed by the entity to create a real risk of serious harm to the individual involved. For example: identity theft or fraud occasioning financial loss. This is an important threshold because if notification for all data breaches, no matter how minimal, was required it may lead to “notification fatigue”. Notification fatigue results when individuals receive too many notifications about unimportant matters. When those individuals finally receive a serious notification, they may simply disregard it and fail to act quickly and effectively to remedy the issue.
In assessing whether the data breach has caused a real risk of serious harm to an individual an entity must consider factors including:
- The type and relative sensitivity of the information disclosed.
- How easily it can be linked to an individual.
- Whether it is protected by some form of security/encryption.
- Who is likely to find the information.
- What sort of harm could possibly be caused if in the hands of the wrong person. The types of harm envisaged include physical, sychological, emotional, reputational, economic and financial harms.
Further practical guidance will be provided by the OAIC if and when these reforms are implemented.
Likely penalties
The consequences for businesses governed by the Privacy Act which fail to comply with these new notification obligations can be as severe as a $1.7 million penalty for companies and $340,000 for sole traders and non-companies for serious or repeated non-compliance, but are more likely to be a direction from the Commission to make a notification to the individuals affected by the serious data breach. Other directions from the Commissioner may include an order for a public apology or an enforceable undertaking from the business at fault.
Businesses concerned about the proposed new notification laws should consider their own governance and compliance measures and ensure that they have effective measures in place to promptly identify and react to a data breach within the time allowed. Businesses should appoint somebody within their organisation as a “privacy officer” to be in charge of educating and training staff and implementing effective measures to deal with all privacy matters including data breaches.
Public consultation
The government invited the public to submit comments on the draft bill by 4 March 2016. There were submitted statements received from organisations and individuals including PayPal, the ABC, Telstra and Microsoft. Issues raised by third parties include the broad and uncertain nature of the obligation to notify when an organisation ‘ought to be aware’ of a data breach. Others highlighted the problem of businesses being independently responsible for assessing the risk of the overly broad definition of ‘serious harm’ to an individual which may result from the data breach. This may often become a purely subjective assessment, particularly when assessing the potential ‘psychological, emotional or reputational harm’ of a breach.
Next steps
The government will review the commentary and amend the Bill accordingly before introducing it into Parliament later in 2016.
Read more from other Wrays thought leaders in our launch edition of The Gatherer.