Australia is one step closer to a mandatory data breach notification scheme. If implemented the new law will require businesses and Federal Government bodies to notify serious data breaches to the Australian Information Commissioner (the Commissioner) and affected individuals. The Government has released for public consultation an exposure of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) and related documents (available here). The Bill is substantively identical to the Privacy Amendment (Privacy Alerts) Bill first introduced by Labor in 2013. Submissions on the Bill can be made until 4 March 2016. This alert summarises the notification requirements under the Bill and explains their practical impact (if enacted).
1. Who would the notification requirements apply to?
The mandatory notification provisions apply to any entity bound by the Privacy Act 1988 (Cth). This includes Federal Government agencies (but not State and Territory Government agencies or local councils), most private sector organisations with an annual turnover of more than A$3 million and foreign companies that carry on business in Australia. If an entity subject to the Privacy Act discloses personal information to an overseas recipient and Australian Privacy Principle 8.1 applies to the disclosure, the entity will be responsible for complying with the notification provisions in the event of a breach by the overseas recipient.
2. Trigger for notification
The Bill requires entities to comply with the notification provisions where there are “reasonable grounds to believe” that a “serious data breach” has occurred. A serious data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of, personal information, credit reporting or credit eligibility information or tax file numbers which results in a real risk of serious harm to the individual to whom the information relates. The real risk of serious harm standard reflects the existing voluntary data breach guidelines. The Bill sets out a variety of factors that will be taken into account in assessing whether there is a real risk of serious harm, including the sensitivity of the information, whether it is in an intelligible form and who may have accessed or could access it. Further practical guidance from the OAIC is foreshadowed in the explanatory memorandum. Harm in this context includes physical, psychological, emotional, reputational, economic and financial harm to the affected individual. The trigger of real risk of serious harm is very similar to the trigger of “real risk of significant harm to an individual” recently enacted (but yet to come into effect) in Canada. But on a global scale, the proposed notification threshold is quite high. For example, in California (which is famed for initiating mandatory breach notification requirements), notice is required for any “breach of the security of the system”, which is defined as the “unauthorised acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the agency”. Likewise, under the incoming European General Data Protection Regulation, any data breach will need to be notified to authorities unless it is unlikely to result in a risk for the rights and freedoms of individuals For more information to assist you in analysing the severity of a data breach, see our detailed guidelines and checklist in the recently released Baker & McKenzie Cybersecurity Counter-offensive Guide. If the provisions of the exposure become law, we will update the Guide to reflect the new obligations
3. When would I have to notify?
An entity is required to notify both the Commissioner and the individuals to whom the information relates, as soon as practicable after the entity becomes aware, or ought reasonably to have been aware, that there are reasonable grounds to believe that there has been a serious data breach. Where an entity suspects a serious data breach may have occurred but is not sure, it has 30 days to conduct an assessment of whether notification is required. In comparison, notification in California and most other U.S. States must occur “in the most expedient manner possible and without unreasonable delay”. The Canadian laws require notification “as soon as feasible” after it is determined that a breach occurred.
4. Are there any exceptions?
There are exceptions:
- for law enforcement purposes;
- where secrecy provisions in other legislation apply;
- if the breach falls under the existing eHealth data breach notification scheme under the My Health Records Act; or
- on public interest grounds, such as where a breach notification would prejudice ongoing investigations.
Under the “secrecy provisions” exemption, telecommunications companies could be restricted from notifying breaches if notification would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of the Privacy Act) that prohibits or regulates the disclosure of information.
5. What would I have to include in the notification?
The notification must include the identity and contact details of the entity, a description of the data breach, the kind of information involved, and recommendations about the steps that individuals should take in response to the breach.
6. Would I have to notify affected individuals?
The entity must take such steps as are reasonable in the circumstances to notify the individuals involved. If it is not practicable to do so, the entity must publish a copy of the notification statement on its website and otherwise take reasonable steps to publicise the contents of the statement.
7. Additional powers of the Commissioner
In circumstances where the Commissioner believes that a serious data breach has occurred and no notification has been given, the Commissioner has the power to require the entity to provide information on the data breach. The Commissioner may also require additional information in some circumstances.
8. What are the penalties for non-compliance?
Failure to notify as required triggers the Commissioner’s usual powers to investigate, make determinations, seek enforceable undertakings and provide remedies for non-compliance. If the failure amounts to a serious or repeated interference of privacy, penalties may be imposed of up to A$360,000 for individuals and A$1.8 million for corporates.
The impact of the notification requirements on Australian businesses and foreign entities conducting business in Australia is likely to be far-reaching. Businesses should ensure they have the systems and processes in place to be able to comply with the requirements once enacted. The mandatory data breach scheme will become effective 12 months after the Bill receives royal assent. Business will need to implement an incident response plan, if they have not already done so. Even without a mandatory data breach notification scheme, it is important for businesses to have an incident response plan both from a compliance and risk management perspective. This plan should outline the processes and procedures for dealing with suspected data breaches, such as to:
- the nature of the incident (e.g., whether it was the result of a hacking, lost device or internal theft);
- what data and data subjects have been affected (type, location and number); and
- the likelihood and seriousness of the risk of harm to the affected individuals (particularly whether it would be likely to reach the real risk of serious harm threshold for notification under the Bill);
- determine who is aware of the incident internally and externally and set up a response team (including public relations personnel);
- inform the board and senior management;
- promptly take steps to protect the security of the system while avoiding destruction of critical electronic evidence;
- engage a reputable forensics firm to assist with reviewing and assessing the incident and collecting and preserving critical evidence;
- in suitable cases, take steps to recover or secure the information lost; and
- consider any other data breach reporting obligations that may apply globally.