Mandatory data breach notification - what you need to know

Yesterday, the Australian Senate passed the Government's Privacy Amendment (Notifiable Data Breaches) Bill 2016. If it receives royal assent, the Bill will amend the Privacy Act 1988 to introduce the long-awaited mandatory data breach notification scheme. It will probably take 12 months before the new provisions take effect, which means 12 months to get data breach ready!

Who needs to comply?

Entities that need to comply with the new requirements include:

·       businesses with over $3 million in turnover

·       businesses (even small) that handle sensitive information

·       most government agencies.

Beware: outsourcing to third party providers will not get you out of trouble!

What is an eligible data breach?

An “eligible data breach” will occur in situations where unauthorised access to, or unauthorised disclosure of, personal information would be likely to result in serious harm to any of the individuals to whom the information relates.

Breaches include malicious actions, such as theft or hacking, but they may also arise from internal errors or failure to follow information-handling policies that cause accidental loss or disclosure of individuals’ personal information.

When to notify?

Notification will be required if the breach “is likely to result in serious harm" to an affected individual. So not all data breaches will need to be notified and risk mitigation will be essential.

Organisations must notify the Office of the Australian Information Commissioner and affected individuals "as soon as practicable" after becoming aware that a data breach has occurred. Where it is uncertain whether a breach has occurred, organisations will have up to 30 days to investigate whether a breach notification is needed.

What must be included in the notification?

The notification must contain:

·       the identity and contact details of the organisation

·       a description of the breach

·       the type of information that was disclosed

·       recommendations about the steps individuals should take in response to the breach

Existing requirement to protect personal information

The Australian Privacy Principle 11 (Privacy Act) already requires certain entities that hold personal information to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure. 

Possible consequences of a data breach

Under the amended Privacy Act, failure to take reasonable steps to protect personal information and/or to notify an eligible data breach may have serious consequences for an organisation, including compensation to the affected individuals and civil penalties for serious or repeated non-compliance with mandatory notification requirements with fines of up to $360,000 for individuals and $1.8 million for organisations.

There are other legal obligations and potential liabilities associated with data breaches, including:

·       under the Corporations Act 2001, directors may be personally liable for breach of their obligation under section 180 to exercise their powers and discharge their duties with reasonable care and diligence

·       under the ASX Listing Rules, listed entities may be in breach of the continuous and periodic disclosure requirements

·       under the Competition and Consumer Act 2010, the organisation (and potentially its officers or employees) may be liable for claims of misleading or deceptive conduct

·       under specific contractual provisions with suppliers or customers, an organisation may be in breach of its data and confidentiality obligations

·       organisations regulated by APRA (banks, insurance companies and most members of the superannuation industry) may also be liable for breach of APRA’s prudential standards regarding outsourcing.

The consequences go beyond non-compliance and the following could have disastrous effects on an organisation if a data breach occurs:

·       loss of intellectual property and commercially sensitive information

·       indirect losses due to delays caused by the breach

·       reputational loss due to a loss of confidence

·       costs of investigation and administration

How you can protect your organisation

1.     Raise awareness and understand the risks: corporate governance is critical, make sure your board and management is across these issues

2.     Identify your risks and comply with your obligations: IT systems are critical but not sufficient. What are the specific risks for your organisation (consumer information, intellectual property and sensitive information, supply chain and IoT, M&A, supplier contracts, employees)? Do you have appropriate policies in place? Do you know how much it would cost your organisation if a serious breach occurred? 

3.     Detect and monitor: you should have a comprehensive cybersecurity and data management programme to allocate responsibilities across the organisation

4.     Respond: have a detailed data breach response plan to mitigate the risks and have appropriate plans to respond to a data breach (including a process for identification, response and notification)

5.     Recover: have a detailed business continuity and disaster recovery plan

6.     Learn: amending your programme, plans and policies following a breach and ongoing training will further mitigate the cyber risks

7.     Insure: review your insurance policy to check if it covers you for these cyber risks and get a specific cyber insurance as appropriate (for example in an M&A transaction)

You cannot eliminate the cyber risks, but do not ignore them!

Christelle Santelli

This article is a general overview and is not intended to be comprehensive, the views expressed are those of its author and it does not constitute and must not be relied on as legal advice.