Five years after the ALRC recommended that mandatory data breach notification obligations be included in Australian privacy laws, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) which addresses this recommendation, was tabled in Parliament on 29 May 2013.
If the Bill passes, the amendments will commence on 12 March 2014. This is timed to coincide with the commencement of the incoming Privacy Act 1988 (Cth) (Privacy Act) reforms which were passed late last year (see our previous summary of those reforms here).
What you need to do next
If the amendments are passed as anticipated, it is crucial to ensure that appropriate internal steps have been taken and processes and procedures put in place to ensure:
- your organisation provides appropriate security for any personal data held by the organisation;
- incidences of breaches will be identified and notified to someone within the organisation who is responsible for compliance with the privacy laws (eg a data privacy officer); and
in the event of a breach occurring:
- the relevant data and affected individuals are identified;
- the risk of harm is assessed; and
- the notification requirements are met.
The key reforms in the Bill are:
- obligation to report serious data breaches: organisations and agencies which are required to comply with the Privacy Act must notify the data subject and anyone else who is significantly affected (affected individuals) and the Australian Information Commissioner where there has been a serious data breach of personal information, credit reporting information, credit eligibility information, tax file numbers, and any other information that may be specified by regulation.
new powers of the Australian Information Commissioner:
- the Commissioner has the power to direct an entity to notify affected individuals or the public of a data breach or to exempt an entity from the notification requirements; and
- if an entity fails to provide the required notification for a serious data breach, the Commissioner has the power to investigate further, make determinations, seek enforceable undertakings, seek personal and private apologies, order compensation payments, and in cases of serious or repeated non-compliance, seek civil penalties of up to A$1.7 million.
- Australian entities must report overseas entity breaches: Australian entities are responsible for the acts of their overseas recipients pursuant to Australian Privacy Principle 8.1 A regulated Australian entity must also notify affected individuals and the Commissioner if the overseas recipient suffers a serious data breach.
In its 2008 report (ALRC Report 108 - For Your Information: Australian Privacy Law and Practice), the Australian Law Reform Commission (ALRC) noted that growing use of technology was resulting in larger amounts of personal information being held by entities in electronic form. This suggested that the risk of data breaches with widespread consequences would become more common. Based on this, the ALRC expressed the view that implementing notification obligations in such circumstances could act as an incentive to implement better security practices and assist individuals to deal more promptly with the consequences of such breaches.
The Office of the Australian Information Commissioner published a set of voluntary guidelines in April 2012 with respect to handling personal information security breaches.
Based on the rise in the number of instances of reported data breaches, there appears to be a growing incidence of breaches. After a public consultation based on a discussion paper released in November last year, the Bill was drafted to address these concerns.
Who is required to report
- All entities which are currently required to comply with the Privacy Act will be required to report serious data breaches.
- Most of the existing exemptions e.g. for small businesses, with respect to employee records, charities, political parties and the media will continue to apply.
- Credit reporting bodies, credit providers and holders of tax file numbers will not be exempt under these requirements with respect to personal information, credit reporting information, credit eligibility information or tax file numbers.
When do you have to report?
If an entity believes on reasonable grounds that there has been a serious data breach of the entity in relation to:
- personal information;
- credit reporting information;
- credit eligibility information; or
- tax file number information
the entity must, as soon as practicable, follow the notification requirements set out below.
A serious data breach is:
- when there is unauthorised access to, or unauthorised disclosure of, the regulated information or the regulated information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the regulated information may occur; and
- the access or disclosure will result in a "real risk" of serious harm to any of the individuals to whom the personal information relates.
The Bill does not attempt to restrictively define harm and simply states that harm includes harm to reputation, economic harm and financial harm. However, a real risk is defined as a risk that is not a remote risk.
What are the notification requirements?
The entity must:
prepare a statement which contains:
- the identity and contact details of the entity;
- a description of the serious data breach that the entity believes has happened;
- the kinds of information concerned;
- recommendations about the steps that individuals should take in response to the serious data breach that the entity believes has happened; and
- such other information (if any) as specified in the regulations, and
- give a copy of the statement to the Commissioner; and
- if the general publication conditions (to be determined in any future regulations) are not satisfied - take such steps as are reasonable to notify the contents of the statement to the individuals which are significantly affected by the relevant serious data breach; or
- if the general publication conditions are satisfied - publish the statement on the entity's website and publish the statement in at least one newspaper which circulates generally in a state or territory for each of the states and territories of Australia.
An individual would be significantly affected by a serious data breach if the risk contained in that breach relates to that individual.
The entity may communicate with the affected individuals in the normal way it usually communicates with those individuals e.g. by email, as it is recognised that individuals may ignore messages which are sent via unexpected methods of communication.
The explanatory memorandum for the Bill also refers to how the USA and the European Union have been undergoing legislative reform with respect to data breach notification requirements.
Mandatory data breach notification requirements originated out of the United States.
As of January 2013, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted notification laws involving security breaches of personal information. Generally, US state data breach notification laws apply to any entity that owns or licenses certain categories of personal information about a resident of the state that has promulgated such a law.
In general, most US state laws follow California's data security breach notification law (which was the first such law in the US) which requires companies to immediately disclose a data breach to customers, usually in writing. The trigger for notification in California is where unencrypted personal information of a California resident is or is reasonably believed to have been acquired by an unauthorised person. Notification must occur "as soon as possible, without unreasonable delay". There is no risk or harm threshold.
Under US state breach notification laws generally, the penalties for non-compliance typically range from injunctions, civil penalties, and private rights of action. Civil penalties can range from A$100 to A$750,000 per violation. For continuing violations, civil penalties can be much larger.
Europe does not currently have a uniform data breach notification law.
Instead, data breach notification requirements in Europe are regulated on a per country or per industry basis. This means that there are various laws which have different thresholds for triggering notifications and different requirements as to when individuals and/or regulators should be notified of data breaches.
The proposed Regulation for the Protection of Personal Data released In January 2012 proposes that companies be required to disclose data breaches (with no current threshold on risk or harm) to supervisory authorities within 24 hours of their occurrence and to individuals involved where an adverse effect on their privacy is anticipated. The Regulation has been the subject of significant discussion. The final vote on the Regulation is not likely before early 2014 and currently has a transition period of two years, meaning it would not be effective before 2016.
Additionally, earlier this year, the European Union included a data breach notification law in its new, proposed cyber security directive which would oblige relevant entities to report any security incident that 'seriously compromises the operation of networks and information systems', such as when they have been hacked, suffered a data breach or been attacked online.
What is the likely impact of the proposed law?
The likely advantages of the proposed law are that it will create an incentive for better data security, improve transparency of data management and facilitate remedial action by data subjects when their data is lost or exposed to risk of loss.
The obvious difficulty with the new law is that the entity suffering a data breach will be required to make some difficult assessments which, if wrong, could result in serious penalties. For example whether or not a data loss will result in "real risk of serious harm" depends to some extent on who might have gained access to the information and what they might be prepared to do with it. What should the entity suffering a data loss assume about the party that may have committed the breach? What are reasonable assumptions for the making of this assessment? Often nothing is known about the cause of the breach and/or whether any information has in fact been lost. Also the proposed law requires notification of “significantly affected” parties. Such parties may be difficult to identify and it may not be possible to contact all those who are significantly affected.
The impact of the law may be less for multinational corporations who may be subject to data breach notification laws in other countries. The implementation of a mandatory data breach notification requirement will be an important consideration for entities in determining where to host their data.