On 22 February 2018, Australia’s new Notifiable Data Breach Regime will come into effect, introducing mandatory data breach notification obligations for all organisations subject to Australia’s Privacy Act 1988 (Cth).
The regime is set to have a significant impact on an organisation’s approach to cyber security, because it requires regulated entities to:
These obligations under the new regime must be read together with an entity’s security obligations under the Privacy Act 1988 (Cth). In particular, Australian Privacy Principle (APP) 11.1 requires entities to take reasonable steps to ensure the security of personal information.
In this article, we provide a detailed overview of the key terms and requirements of the new Notifiable Data Breach Regime, including a high level overview of the legislation, the factors to consider when assessing whether a data breach is an ‘eligible data breach’ and a handy checklist with the steps that your organisation should take to prepare for the new laws.
Whether the Notifiable Data Breach Regime applies depends on the entity involved in the data breach, and the information it holds.
For the Notifiable Data Breach Regime to apply, an entity must fall into one of the following categories:
Note: The Notifiable Data Breach Regime can apply to APP entities and credit providers even if they disclose information overseas, and no longer hold the information. APP entities are deemed to hold the personal information they disclose to an overseas recipients if APP 8.1 applies. Credit providers are deemed to hold the credit eligibility information they disclose to overseas recipients under sections 21G(3)(b)-(c) or 21M of the Privacy Act.
The Notifiable Data Breach Regime applies if the data involved in a breach is:
If the data involved is not one of the above four types (e.g. confidential company information or de-identified information), the Notifiable Data Breach Regime will not apply, but other obligations may (e.g. contractual or disclosure obligations to the ASX).
A data breach occurs if there is unauthorised access to, unauthorised disclosure of, or loss of information (e.g. personal information). However, the Notifiable Data Breach Regime does not impose obligations on all types of data breaches.
For the regime to apply, a data breach must be an ‘eligible data breach’. A data breach is only an eligible data breach if a reasonable person would conclude that it is likely that an affected individual would suffer serious harm because of the breach.
‘Likely’ means more probable than not (rather than a possibility), under the judgment of a reasonable person in the entity’s position. ‘Serious harm’ includes physical, psychological, emotional, financial and reputational harm (being upset is insufficient). Three main factors affect whether harm is serious:
Entities need to consider each of the above three factors carefully when determining whether a breach is an eligible data breach. Some examples of eligible data breaches include:
A data breach would not be considered an eligible data breach if the data is protected to a high standard. For example, if a company holding credit card information (encrypted to a high standard) is subject to a cyber-attack, the breach would not be an eligible data breach.
Under the new regime, you need to check whether you ‘suspect’ that a breach has occurred, or whether you ‘believe’ that a breach has occurred. What you need to do to meet your notification requirements differs greatly depending on whether you ‘suspect’ or ‘believe’ that a breach has occurred.
Under the new regime, when an entity has reasonable grounds to suspect that there has been an eligible data breach, it must take reasonable steps to confirm:
An entity will have reasonable grounds to suspect if there is information to suggest that a data breach may have occurred, but cannot confirm:
For example, if an entity receives an isolated complaint about a data breach (as opposed to multiple complaints from different users), the OAIC considers that there are reasonable grounds to suspect, but not yet have reasonable grounds to believe that a data breach occurred.
A self-assessment must be completed by the entity within 30 days. The OAIC sees this 30 day time period as the maximum time limit, and suggests entities complete their assessment in a much shorter time frame.
An entity will have reasonable grounds to believe that an eligible data breach occurred if it is actually aware that personal information has been accessed.
Under the new regime, when an entity has reasonable grounds to believe that an eligible data breach occurred, it must, as soon as practicable after forming that belief:
The OAIC may also give written notice to entities directing them to notify the OAIC or affected individuals if it is aware of reasonable grounds to believe that there has been an eligible data breach.
This can occur if the OAIC is notified about the breach before the entity, or if the OAIC disagrees with the entity’s assessment of the seriousness of the breach.
Before requiring entities to notify, the OAIC will first invite the entity to make submissions about the breach. These submissions will be considered by the OAIC, so the entity may wish to argue that notification is not required, or only required to a limited extent.
There are some limited exceptions to the notification requirements set out above. These occur when:
Failure to comply with the assessment or notification obligations is considered an interference with the privacy of an individual. This means that the OAIC may impose fines of up to $420,000 for individuals, or $2.1 million for organisations for serious or repeated interferences with privacy. Notification may also lead to an increased number of privacy complaints, and OAIC determinations awarding compensation.
In order to help prepare your organisation for the new Notifiable Data Breach Regime, we recommend that you take the following steps:
The below checklist provides greater detail about what to consider in relation to each of these five steps and may assist you in your preparation for the new regime.
1. Have you conducted an information security audit?
An Information Security Audit will help you identify information risks, and how to strengthen your cyber security.
Three things to consider as part of your audit are:
1. Your data situation:
2. Your current cyber security measures:
3. The cyber security risks:
4. Check coverage of your cyber insurance policy.
2. Do you have a data breach response team?
It is important to react quickly in the event of a breach. To this end, we recommend establishing a data breach. This team should have:
3. Have you updated and tested your data breach response plan?
A data breach response plan sets out the processes that need to be followed internally when there is a data breach. At a minimum, it should:
Once you have a data breach response plan, we recommend conducting a ‘data breach drill’ – test your plan, see how it would work in practice, and make any necessary improvements.
4. Have you updated your internal policies and organised staff training?
With the introduction of mandatory data breach notification, it is now more important than ever that board members and staff are made aware of your organisation’s cyber security policies and procedures.
Some key things to educate your staff on include:
This information should be clearly communicated to employees through staff training session and internal organisation-wide updates. Prepare a ‘Key Takeaways’ document for all your staff so they know what to do if they come across a cyber issue.
5. Have you reviewed your contracts with third parties?
Where a third party stores or has access to your data, it may be necessary to review the relevant contracts to ensure that:
Finally, contracts should allocate responsibility for a data breach, including setting out who will pay the costs for investigating and remediating a breach, and for paying any potential penalties.
Corrs Cyber is a rapid-response cyber security team, created to help organisations prepare for and recover from a cyber-attack or data security breach. Our multidisciplinary team provides access to data breach management specialists, including legal advisers, IT forensic investigation specialists, cyber risk and incident response consultants, and crisis and reputation management services. With the ability to respond to any type of cyber incident, the Corrs Cyber team offers a complete, solution-based round-the clock cyber incident service.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.