Australian businesses can no longer keep quiet about cyber security breaches, with Parliament passing laws mandating their disclosure. On 13 February 2017, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, set to receive royal assent. Finally bringing Australia into line with other countries globally, the new rules will take effect within 12 months, giving businesses limited time to prepare for compliance with the new legislation.
The Amendment Act amends the Privacy Act 1988 (the Privacy Act) to introduce mandatory data breach notification requirements for Commonwealth government agencies, private sector organisations and specific other entities (including credit reporting bodies and recipients of tax file number information) that are regulated by the Privacy Act.
In the 2016 Federal Budget, the Australian Government announced how it intended to fund its new Cyber Safety Strategy package, with funding aimed at assisting those businesses who traditionally hadn't focussed on cyber security as a priority. The question then for mid-size businesses, in particular, was how the proposed measures would actually assist them, and whether it’s enough. The introduction of this new legislation only adds to the pressure on businesses to ensure adequate compliance.
When do you need to notify?
The threshold for notification under the new Act will be more onerous than most other global jurisdictions, with the test based on whether the breach "is likely to result" in serious harm to an affected individual.
Presently, there is no mandatory requirement for an organisation that is the victim of a cyber-attack to inform the Office of the Australian Information Commissioner (OAIC) or affected individuals following a data breach involving personal information. The Privacy Act, however, already requires businesses that hold personal information to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure, which includes where a business engages third parties to store personal information. Present predictions by the OAIC suggest that the new mandatory requirements for notification will double the number of reported incidents each year.
What do you need to notify?
Now is the time to get compliance ready.
Within 12 months, you will be required to report a cyber breach captured by the Act to the OAIC and to affected individuals as soon as practicable, identifying the breach, the type of information that was disclosed and recommendations about the steps individuals should take in response to the breach. For notifying individuals affected, you will also need to publish a notification online and take reasonable steps to notify all affected individuals.
A failure to report or notify individuals may require you to make a formal public apology and pay compensation to any affected individuals and large civil penalties could also apply for serious or repeated non-compliance with mandatory notification requirements.
Ensuring you are protected from a serious data breach
The Cyber Safety Strategy package announced as part of last year’s Federal Budget was applauded for bringing to the table a cyber security health check scheme for the public and private sector. It was noted at the time however, that the onus would always be on businesses to step up and play their own role in fighting cybercrime, particularly in those industries that operate critical infrastructure. This new legislation brings that responsibility into sharp focus.
A factor that will be taken into account when considering whether a notifiable data breach has occurred is whether the information was protected by appropriate security measures.
Ensuring you have in place an appropriate data breach response plan will be also be critical over the coming 12 months. You should also consider negotiating insurance to cover cybercrime risks, particularly in relation to covering costs arising from loss of goodwill and reputational harm as well as attributable to negligent data security (which are often exclusions under existing policies).