On 13 February 2017, the Australian Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill). The Privacy Amendment (Notifiable Data Breaches) Act 2016 will introduce a mandatory data breach notification rule which will come into effect in February 2018.
The Australian Cyber Security Centre (ACSC) identified 47,000 cyber security incidents in 2016/17, a 15 per cent increase on the previous year. Many of these were online scams or frauds. They cost Australian businesses more than $20 million.
The new law will apply to all APP entities currently subject to the Australian Privacy Principles under the Privacy Act 1988 (Cth), which are Australian Government agencies and private sector organisations with an annual turnover of more than $3 million P.A. It will also apply to certain credit providers, credit reporting bodies and holders of tax file number information.
Peet Jordaan, Technical Service Director at Hal Group, a company specialising in cyber security, told Automotive Dealer that under the new law, unless an exception applies, businesses must notify ‘eligible data breaches’ to the Office of the Australian Information Commissioner regarding affected individuals as soon as possible. This must be reported immediately after the business becomes aware that “there are reasonable grounds to believe that there has been an ‘eligible data breach’ of the entity”.
“It is critically important to ensure compliance with the new law,” he said.
“It is mandatory for any business that falls under the new law to report any data breach that occurs. Businesses will also need to look at implementing or reviewing current processes to meet the various assessment and notification requirements.”
Serious or repeated failure to comply could expose the affected business to material civil penalties. Fines of $380,000 apply for an individual and a fine of $1,800,000 applies to an organisation.
There is also the risk of reputational and associated commercial damage, as infringements will be publicised.
“It is essential that businesses are proactive in responding to a data breach incident and that they take such preventative action necessary before any serious harm occurs to the affected individuals,” Mr Jordaan said.
- Businesses that turn over greater than $3 million P.A. are now required by law to declare any form of IT breach of private information to the affected clients, the entire client database and a government reporting agency.
- Breaches are subject to significant fines for both the business and all registered directors/boards (no longer “just an IT issue”)
- Private information primarily relates to:
– Credit card/banking details/financially sensitive data
– Medicare cards
– Photos or sensitive files that may cause distress if exposed
An ‘eligible data breach’ occurs where there has been:
(a) Unauthorised access or disclosure, or loss of information where unauthorised access or disclosure is likely, and/or
(b) A reasonable person would conclude that the access or disclosure would likely result in serious harm to the individuals to whom the information relates, whether that harm is financial, reputational, physical or otherwise.
Who is subject to the new conditions?
(c) APP entities, credit reporting bodies, tax file number recipients holding information subject to the information security requirements under the Privacy Act.
When is the requirement to notify triggered?
(d) When an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’ of the entity.
Are there any exceptions applying to the notification requirements?
(e) Yes, there are a range of exceptions, including where the affected entity takes sufficient remedial action in response to the eligible data breach before it causes serious harm.
What does notification involve?
(f) The entity must notify the OAIC and all individuals affected by the breach. If impractical to notify all affected individuals, the entity must publish a statement on its website and publicise the content of the statement. The notification must set out certain matters about the eligible data breach.
What are the possible sanctions and financial penalties?
(g) Serious or repeated failure to comply could expose the affected entity to the risk of material civil penalties. Fines of $380,000 apply for an individual and a fine of $1,800,000 applies to an organisation. There is also the risk of reputational and associated commercial damage.
How do data breaches occur?
Data breaches occur in many ways. Some examples include:
- Databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation.
- Employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
- An agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address.
- An individual deceiving an organisation into improperly releasing the personal information of another person.
“It is important to ensure compliance with the new law,” Mr Jordaan said.
“It is mandatory for any business that falls under the new bill to report any data breach that occurs. Businesses will need to look at implementing/reviewing current processes to meet the various assessment/notification requirements.
“This is an ideal time to review how your company manages their information (and manages itself) to take stock of its information assets, its data protection measures (including response activities) and to ensure it minimises the risk of a breach in the first place.”
Who is affected and how?
The Bill primarily supplements the existing obligations of a business, which requires an entity holding personal information to take reasonable steps to protect information from unauthorised disclosure, misuse, interference and loss.
- Under the Bill, where an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’ of the entity, then it must comply with the notification obligations.
As soon as practicable after the entity becomes aware, it must prepare a statement that addresses certain matters in relation to the eligible data breach. They must also provide a copy of the statement to the OAIC and any affected individuals.
- Where it is not practical for the entity to notify all affected individuals, the entity must publish a copy of the statement on its website. They must also take reasonable steps to publicise the content of the statement. Customers must be made aware that a breach has occurred so that they can take necessary steps to mitigate harm to themselves.
- The statement must include the identity and contact details of the entity, a description of the ‘eligible data breach’, the kind or kinds of information concerned and the recommended steps for individuals to take in response to the breach.
- If an entity suspects an ‘eligible data breach’, the Bill also requires that entity to carry out an assessment of whether there are reasonable grounds to believe an ‘eligible data breach’ has occurred.
A failure to notify an ‘eligible data breach’ is an “interference with the privacy of an individual” under the Privacy Act. Serious or repeated interferences with the privacy of an individual can give rise to civil penalties.
- The Bill essentially requires eligible data breaches to be notified where a reasonable person would conclude that the access, disclosure or loss would be “likely to result in serious harm” to the affected individual. The Explanatory Memorandum notes that the phrase ‘likely’ is intended to mean ‘more probable than not’.
Importance of security measures in reducing the risk of an ‘eligible data breach’
“This highlights the importance of implementing robust security technology and solutions,” Mr Jordaan said.
“Where entities have implemented such measures, this will significantly lessen the risk of a data breach (both in practice and when assessing whether an ‘eligible data breach’ has occurred).”
Be proactive about information security
It is essential that businesses are proactive in responding to a data breach incident and that they take such preventative action necessary before any serious harm occurs to the affected individuals.
This is reflected by the ‘remedial action’ exception to the notification requirement in the Bill. Under this exception, where:
there is unauthorised access to, disclosure or loss of information but the entity acts before it results in any serious harm to the affected individual, and
because of the action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual, then the unauthorised access or disclosure is deemed to have never been an eligible data breach.
Responsibilities for notification
If an entity complies with the relevant notification requirements in relation to an eligible data breach, and that eligible data breach has also occurred in relation to other businesses, then those other businesses do not need to comply with the notification requirements in respect of that eligible data breach. This exception ensures that where multiple businesses are affected by a single incident, only a single notice by one of the affected businesses will be required.
The new bill highlights the exposure that businesses currently have in an ever-changing digital economy and the need to protect the data that has been provided by your customers.