In May 2014, it was reported that eBay’s database of approximately 145 million account holders had been hacked with account holders’ personal details compromised. eBay allegedly knew of the likelihood of the security breach approximately two weeks before the reports in the media first appeared yet in this period it did not notify its account holders of the suspected breach. Had it done so, account holders could have acted quickly to lessen any adverse impact, such as changing passwords and securing their details. Unsurprisingly, eBay was heavily criticised for its handling of the data breach and its reputation was likely damaged.1
While Australia’s Privacy Act 1988 (Cth) (the Privacy Act) requires companies to put in place reasonable security measures and take reasonable steps to protect personal information, there is no requirement that companies must notify affected individuals if they suffer a security breach of this nature.
However, this may soon change. What might the implications be for your company?
Mandatory data breach notification bill
Earlier in 2014, the Privacy Amendment (Privacy Alerts) Bill 2014 (the Bill) was introduced into the Senate by Lisa Singh, a Labor Senator. If the Bill is passed, mandatory data breach notification provisions will be included in the Privacy Act. In short, companies that are required to comply with the Privacy Act and the Australian Privacy Principles (APPs) will be required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if personal information is accessed, obtained, used, disclosed, copied, or modified by unauthorised persons, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.
Unauthorised access might occur when systems are hacked or if there is an accidental loss, for example, a USB stick or hard copy documents are lost.
These reforms would bring Australia into line with other jurisdictions such as the European Union, which imposes similar obligations following breaches of data security.
What do the proposed amendments mean?
When certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure, a ‘data breach’ will occur.
Companies which must comply with the Privacy Act will be required to notify significantly affected individual(s) and the Australian Information Commissioner (the Commissioner) as soon as reasonably practicable after they believe on reasonable grounds that a ‘serious data breach’ has occurred. There are also proposed mandatory notification requirements if certain other events occur, such as where the personal information lost is of a particular kind which is extremely sensitive (e.g. health records).
The Commissioner will also be able to direct a company to lodge a data breach notification if the Commissioner believes on reasonable grounds that there has been a serious data breach in respect of the company.
Small businesses which are exempt currently from the requirements of the Privacy Act will not be subject to the data breach notification requirements.
What is a ‘serious data breach’?
A ‘serious data breach’ will occur where there is a real (‘not remote’) risk of serious harm to the individual to whom the information relates as a result of the breach. It is immaterial whether the breach occurred maliciously, accidentally, negligently or improperly.
Harm includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm.
What would the notification be required to include?
The proposed notification must include, at least:
- the identity and contact details of the company;
- a description of the breach;
- the kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the serious data breach.
The company may use its normal means of communication with individuals to notify affected persons, and, when there are too many individuals affected to allow for personal notification, provisions enabling mass notification will apply.
Are there any exemptions?
The Commissioner can exempt, by its own motion or upon application, companies from compliance if it is in the public interest to do so. There are also limited exemptions for law enforcement bodies and information that will be subject to Commonwealth secrecy provisions.2
Law enforcement bodies do not have to notify significantly affected individuals or publish that a data breach has occurred if compliance would prejudice an enforcement related activity. Moreover, if compliance with the provisions would be inconsistent with the Commonwealth secrecy provisions, then the secrecy provisions prevail to the extent of the inconsistency.
What are the consequences for breach of the proposed provisions?
Non-compliance with the new provisions will be treated as an interference with an individual’s privacy under the Privacy Act. Companies which are repeat offenders or suffer a serious breach may be liable for penalties up to $1.7 million.
While the Government agrees in principle with the objects of the Bill, the Government has expressed concerns that definitions, such as “serious harm”, “real risk” and “serious breach”, are too vague and lack precision.
Further, the Government has also expressed concerns that businesses and industry should not be too heavily regulated.
The Government therefore considers that there should be consultation with industry and the public before any legislation is passed.
Accordingly, while the Bill may not be passed, we consider it highly likely that data breach notification will become mandatory in Australia in the future. This would reflect developments which are occurring overseas.
In any event, in taking reasonable steps to protect personal information from unauthorised access, use or disclosure, companies should give serious consideration to having a data breach policy and response plan, which may include voluntarily notifying OAIC and affected individuals.3
Having a plan would enable a company, as soon as it becomes aware of a data breach, to act quickly to:
- assess the extent of the data breach and its seriousness;
- take steps to secure systems; and
- determine whether they should notify voluntarily the OAIC and affected individuals of the breach.
Acting promptly and responsibly not only enables affected individuals to take steps to minimise damage but also may assist to minimise any reputational damage which may result as well as the risk of the Commissioner seeking a penalty.