Last week it was revealed by news services, and later confirmed, that the Commonwealth Bank (CBA) had reported a data breach to the regulators in 2016. But the real story was that the bank had not reported the incident any further than this at the relevant time and in particular had not informed its customers to which the data related.
CBA has admitted that in 2016, it did not receive the required evidence of destruction of two magnetic tapes that were supposed to be destroyed by its subcontractor Fuji-Xerox. The tapes contained partial information that enabled statements to be printed, such as customers’ names, addresses, account numbers and transaction details from 2000 – 2016. Reportedly, almost 20 million customer accounts were affected, but the bank was quick to stress the information did not contain details that would enable someone to access an account such as passwords or PINS. When CBA did not receive certificates of destruction, it launched an investigation and reported the incident to the Office of the Australian Information Commissioner (OAIC) and Australian Prudential Regulation Authority (APRA). The incident is an example of how information does not have to be ‘disclosed’ to be considered a data breach; ‘lost’ information can also potentially give rise to obligations to notify affected individuals.
In response to the reports, various commentators have opined that if the incident had happened today (since the advent of mandatory notifiable data breach laws introduced on 22 February 2018), the bank would have to advise each of their customers about the loss of data. However, it is arguable whether a legal obligation to notify would necessarily arise under the new laws. The new regime requires organisations to notify affected individuals (and the OAIC) of data breaches that create a real risk of serious harm to affected individuals. In 2016, the bank chose not to notify its customers, as the report the bank commissioned concluded that the most likely scenario was that the tapes containing personal information had been destroyed, and so the bank assessed that the risk that the data had fallen into malicious hands was low. CBA has confirmed that there has been no evidence of suspicious activity involving the affected accounts since that time.
The OAIC has released a statement noting that it had made further inquiries in relation to the 2016 incident and sought information from the bank to satisfy itself that the bank’s customers’ personal information is adequately protected.
The mandatory obligation to notify is not a foregone conclusion when faced with any data breach, the legal obligation is to assess a suspected data breach and then assess if there is real risk of serious harm, and this case is a good example of that. However, the practical lesson for organisations is that when a breach is suspected and investigated, the circumstances may give rise to actions, such as notification of the breach, even if such notification is not required as a result of likely serious harm. Regardless of any legal obligation to notify, public opinion and increasing calls for transparency and trust may result in a decision to report the incident for what it is.