The Government's announcement on 7 April 2015 follows a recommendation by the Parliamentary Joint Committee on Intelligence and Security (Committee), in the Advisory Report on the controversial Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Telecommunications Amendment Act), to introduce mandatory notification of data breaches.
While the voluntary notification of data breaches to affected individuals is encouraged, there is currently no provision in the Privacy Act 1988 (Privacy Act) requiring mandatory notification. Although this issue is addressed by the Privacy Amendment (Privacy Alerts) Bill 2014 (Privacy Bill), a private member's Bill previously introduced by an Opposition Senator, the Government has indicated it will introduce new draft legislation for consultation.
What do these changes mean for your organisation?
The proposed mandatory data breach notification scheme will place increased regulatory and financial burdens on affected organisations, which will include not just the telecommunications and internet service providers impacted by the Telecommunications Amendment Act, but also those organisations that are currently subject to the Privacy Act.
It is imperative that organisations likely to be impacted by the proposed mandatory data breach notification scheme revisit their existing cyber resilience plans.
Mandatory data breach notification – a potted history
Although the Privacy Act requires Australian Government agencies and specified private sector organisations to implement reasonable security safeguards and take reasonable steps to protect the personal information they hold, there is currently no provision requiring the mandatory notification of data breaches. This is despite the recommendation of the Australian Law Reform Commission that mandatory notification be introduced, save for circumstances where such notification would impact a law enforcement investigation or otherwise be contrary to the public interest.
A voluntary data breach notification scheme, intended to apply where there is a real risk of serious harm, has not resulted in widespread notification to affected individuals following breach events.
The Privacy Amendment (Privacy Alerts) Bill 2013, which proposed the establishment of a framework for the mandatory notification of serious data breaches, lapsed. The Privacy Bill was subsequently reintroduced in substantially the same terms and remains before the Senate.
The Australian Government has announced that it is preparing new draft legislation to amend the Privacy Act to introduce the requirement that affected individuals be notified in the event their personal information is compromised.
Amending the Privacy Act – key concepts
It remains to be seen how the new draft legislation to be introduced by the Government will vary from the mandatory data breach notification scheme proposed in the Privacy Bill.
The Privacy Bill requires that the Privacy Commissioner and 'significantly affected individuals' be notified in the event that the unauthorised access or disclosure of personal information occurs. 'Significantly affected individuals' are individuals who the personal information relates to or who are taken to be significantly affected by the breach.
The Explanatory Memorandum to the Privacy Bill states that the introduction of a notification requirement would allow affected individuals to take remedial steps to lessen the impact of data breaches.
Under the Privacy Bill, a failure to comply with the mandatory notification requirements would be deemed an interference with privacy. The Privacy Commissioner could require affected organisations to take remedial steps, including the payment of compensation, the giving of an apology, or compliance with a direction to take or refrain from taking certain action.
While the Government has broadly supported the concept of privacy protection for individuals, it has previously expressed concerns about some of the details of the Privacy Bill (including the way in which certain key concepts were defined). It will be interesting to see how these key concepts are addressed in the new draft legislation, given the Government's stated desire to balance the protection of individuals' privacy with the increased burden necessitated by further regulation.
The relevance of the Telecommunications Amendment Act
The Committee recommended the introduction of mandatory notification of data breaches in the context of its Advisory Report on the controversial Telecommunications Amendment Act, which requires affected organisations to retain metadata for a period of two years. (See our recent blog post discussing this legislation.)
While the Committee accepted that the issue of mandatory data breach notification was part of broader considerations within the Australian Government, it still recommended that a mandatory data breach notification scheme accompany the introduction of the metadata retention laws. The stated reason was the need to provide strong incentives for telecommunications and internet service providers to implement robust security measures to protect data affected by the new metadata retention regime.
The Committee considered it appropriate that all telecommunications and internet service providers, including those that would not otherwise be bound by the Privacy Act, be subject to either the Australian Privacy Principles or other binding rules of the Privacy Commissioner.
What you need to do
The Australian Government's pledge to introduce mandatory data breach notification, coupled with the recent release by ASIC of its Cyber Resilience Health Check report, reiterates the need for affected organisations to review their cyber security and cyber resilience plans.
Cyber resilience is particularly important in the context of the Telecommunications Amendment Act. Given the metadata of some affected organisations may be commercially sensitive, there is a risk that the metadata retention obligation will unintentionally create a 'honeypot' for cyber attacks by third parties. Affected organisations will need to revisit their cyber resilience plans with this in mind.
The following practical steps are a useful starting point:
- conduct a contractual review to determine the allocation of risks and responsibilities between your organisation, clients and third party providers;
- identify the critical data, systems and services for which your organisation is responsible, with particular emphasis on personal information that is likely to be impacted by the amendments to the privacy laws or potentially attractive to hackers;
- ensure your organisation's employees are appraised of your cyber resilience plan and invested in the ongoing success of your organisation;
- cyber attacks are no longer the domain of the IT department and executives should make it their business to understand antivirus software, firewalls, data encryption and hacking risks.
While the development of a cyber resilience plan is crucial, there is no foolproof system for protecting your organisation from the threat of a cyber attack, and organisations may also wish to consider the benefits of a specialist cyber risk insurance policy.