Privacy legislation requiring notification of data breaches will shortly become federal law.
On 19 October 2016, the Commonwealth Minister for Justice, Michael Keenan outlined to Parliament the rationale for the legislation requiring a compulsory notification scheme: receiving notification of the breach can allow that person to take action to protect themselves for harm.
While the Privacy Amendment (Notifiable Data Breaches) Bill 2016 will only apply to the personal information of individuals, it will have significant practical implications for contractual relationships and corporate data security. Here’s why:
Notified data breaches to become instant public news. Not only will the person affected vent their displeasure on social media and via company and media comments pages, but breaches will be reported in the mass media and recorded for perpetuity online.
Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches. A good example that will undoubtedly be copied in Australia is the database maintained by the Privacy Rights Clearinghouse: https://www.privacyrights.org/data-breaches
Your contractual counterparties will know about the breach and will be concerned about whether their confidential information has been breached.
The consequences for organisations that are the subject of cyber breaches are potentially very serious. For example, many standard form confidentiality agreements require counterparties to: notify the other party of any possible or actual breach of confidentiality; take all reasonable steps required to prevent or stop the breach at the Recipient’s request; assist the other party in connection with any action or investigation regarding any possible or actual unauthorised disclosure. Some confidentiality or non-disclosure agreements may also require that the breaching party indemnify the loss caused by the unauthorised disclosure.
More sophisticated contracts, particularly in the technology and telecommunications industries now include specific cyber security provisions, requiring immediate notification on becoming aware of any breach or potential breach (which is usually defined to include the detection of any malicious code or disruption to services). This is frequently backed up by requirements for suppliers to provide security reports and allow security audits from time to time.
It’s an understatement that it would be difficult to comply with such obligations in the immediate aftermath of a data breach. Yet, contractual compliance will require notifying contractual counterparties as part of the first response to learning of a data breach.
Most organisations aren’t in a position to handle such an issue in a sophisticated way, and much of the focus has been on responding to privacy obligations and personal information. Data breaches will require a co-ordinated B2C and B2B response. The publicity and brand damage associated with the B2C response is a serious enough matter, but the failure to observe B2B contractual obligations could leave a company facing major litigation (including class actions if enough counterparties are affected), terminated contracts and a lack of commercial confidence that could be ruinous.
Managing the contractual obligations in the public sphere can only be done against the background of an organisation having a corporate road map and executing on a clear plan. Executing successfully on that plan and being able to communicate an appropriate response to a breach is also the only realistic response an organisation can have to an online record tracking each reported breach.
Responding to contractual counterparties on the other hand will require a separate but equally important plan for response. There is clearly the potential for cyber breaches to cause significant contractual liability, and the effects of public disclosures and contractual notification obligations need careful thought, in advance of any breach occurring.