Any Australian business with an annual turnover in excess of $3,000,000 needs to be aware that it will likely be subject to mandatory reporting obligations in the event of a security breach involving personal information under its control.
The Commonwealth government recently released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth). The exposure draft, which is accompanied by an Explanatory Memorandum, is open for comment until 4 March 2016. A final draft Bill will then prepared and presented before Parliament.
What is the purpose of the proposed legislation?
The objective of the proposed legislation is to amend the Privacy Act 1988 (Cth) by introducing an obligation on Australian government agencies and private sector organisations to report "serious data breaches" involving personal information under their control.
The scheme would not extend to "small businesses" (that is, businesses with an annual turnover of $3,000,000 or less), nor would it extend to state or territory government agencies or local councils.
The proposed legislation is a response, in particular, to increasing concerns over the ramifications of identity theft. It is estimated that the economic impact of identity crime in Australia is in excess of $1.5 billion per annum. A survey by the Australian Institute of Criminology in 2013 found that 9.4% of surveyed individuals reported having suffered the loss or theft of personal information in the previous 12 months, with victims on average losing $4,101 per incident and spending at least 8 hours dealing with the consequences.
More broadly, a survey by the Ponemon Institute in 2015 found that the cost to businesses associated with business losses arising from data breaches in Australia, such as the abnormal turnover of customers, reputational loss and diminished goodwill, rose from $0.66m in 2010 to $0.89m in 2015.
What is a "serious data breach"?
For the purposes of the proposed legislation, a "serious data breach" would occur if personal information, credit reporting information, credit eligibility information or tax file number information held by the entity is subject to unauthorised access or disclosure, or lost in circumstances that are likely to give rise to the same, and the access or disclosure will or would put an individual at "real risk of serious harm".
A range of factors would be considered in determining whether a "real risk of serious harm" exists, including the sensitivity of the information and whether or not the information is protected by any security measures. A "real risk" would be one that is not remote. "Harm" would include physical, psychological, emotional, reputational, economic and financial harm.
What will entities have to do in the event of a data breach?
The disclosure obligation would require an entity to notify the Australian Information Commissioner and affected individuals if there are reasonable grounds to believe that a serious data breach has occurred.
In circumstances where an entity suspects, but is not certain, that a serious data breach has occurred, it would have 30 days to assess whether notification is required.
It would not be a defence for an entity to fail to report a serious data breach of which it was not aware if, in all the circumstances, it should have detected the problem.
In addition to notifying the Commissioner, an entity would be required to take such steps as were reasonable in the circumstances to also notify each affected individual. Notification of individuals would involve the use of channels normally used by that entity to communicate with those individuals (whether email, post or phone, for example).
The proposed legislation acknowledges that in some instances it may not be reasonable to notify an individual – if, for example, contact details for the individual are not held, or the cost of notifying each individual would be excessive in all of the circumstances. Nevertheless, if it were not practicable to notify each affected individual, the entity would be required to publish a notice about the data breach on its website and take such other reasonable steps to publicise the notice (for example, through an advertisement or social media post) as were appropriate in the circumstances.
A failure to comply with the proposed notification obligations would fall under the existing enforcement and civil penalties framework contained in the Privacy Act, meaning that, for example, in the event of serious or repeated non-compliance by the entity, the Commissioner could apply to the Federal Court or Federal Circuit Court to impose a civil penalty.
How will the proposed scheme interact with the data retention scheme?
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Act), which came into effect on 13 October 2015, requires the providers of certain services to retain a range of communications data for a fixed period of time. The proposed notification obligations would apply to those service providers, with respect to the data collected and retained by them under the Data Retention Act.
What led to this development?
Mandatory data breach notification obligations have been under consideration in Australia for some time. This current proposal is a response to a recommendation by the Parliamentary Joint Committee on Intelligence and Security following its November 2014 enquiry into the bill that led to the introduction of the data retention scheme. The government accepted that recommendation in March 2015.
The previous government attempted to introduce mandatory data breach notification legislation in 2013, based on a recommendation made by the Australian Law Reform Commission in its 2008 report "For your Information: Australian Privacy Law and Practice". The Bill was referred by the Senate to the Legal and Constitutional Affairs legislation Committee in June of that year for further enquiry, but then lapsed with the subsequent change of government.
The proposed legislation is consistent with international trends in the area of data protection, with legislation already in existence, or in the process of introduction, in the European Union, New Zealand, Canada and 47 of the US states.
In view of the economic rationale underpinning the proposed legislation, the extent of similar international schemes and the previous bipartisan support accorded to earlier attempts to introduce similar legislation into the Australian Parliament, it can be comfortably assumed that, in one form or another, mandatory data breach notification legislation will be introduced in Australia in the course of 2016.