The Situation: Acknowledging the potential consequences of personal information data breaches, and to align itself with other jurisdictions, Australia has amended its Privacy Act 1988 with its first Data Breach Bill.
The Result: Entities are required to notify affected parties and the Australian Information Commissioner in data breach cases where "serious harm" is likely.
Looking Ahead: The introduction of the Data Breach Bill may mean reputational damage and more litigation for entities involved in a breach.
Australia's Data Breach Bill amends the Privacy Act 1988 (Cth) ("Privacy Act") and requires private and public organisations regulated by the Privacy Act to notify affected individuals and the Australian Information Commissioner of "eligible data breaches". The requirements take effect on 23 February 2018 or an earlier date determined by Proclamation of the Governor-General of Australia ("Commencement Date").
The notification requirements apply in the event of unauthorised access or disclosure, or loss of information that occurs on or after the Commencement Date. Organisations affected by these requirements should ensure they have introduced appropriate practices, procedures and systems to comply with the notification obligations.
The action likely means more reported data breaches, leading to reputational damage to entities and increased litigation concerning breaches. Entities may also face class action litigation from a class of individuals affected by the breach.
Background to the Data Breach Bill
Mandatory data breach notification provides affected individuals with notice after a breach to provide time to protect against potential harms related to the breach, e.g., by changing online passwords or cancelling credit cards. The Bill aligns Australia with other jurisdictions that have mandated data breach notification schemes.
What Entities Must Comply with the Notification Requirements?
- Private sector organisations (individuals, body corporate, partnerships, unincorporated associations or trusts) formed in Australia, conducting business in Australia or collecting personal information from individuals located in Australia and have, or are related bodies of an entity that has, an annual turnover of more than A$3 million;
- Australian government agencies; and
- Credit providers (e.g., a bank or an organisation issuing credit cards).
Any entity that discloses personal information to a recipient located outside of Australia (and is not exempted from Australian Privacy Principle 8.1) will be considered the holder of that information and is required to notify the Information Commissioner and affected individuals if there is an "eligible data breach" of the information.
When are Entities Required to Notify a Data Breach?
An entity must notify the Information Commissioner and affected individuals once it has reasonable grounds to believe there is an "eligible data breach," which occurs when:
- There is unauthorised access to, or disclosure of, information, and a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates; or
- Information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, information is likely to occur and, if it did occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Entities must consider whether it is likely that the data breach result in serious harm to any of the relevant individuals—as long as one individual is likely to suffer serious harm, the entity will be required to notify the data breach.
What is "Serious Harm"?
The Data Breach Bill outlines matters to be considered when determining whether a data breach may result in serious harm. These matters include:
- The nature of the harm;
- The kinds of information and sensitivity of the information involved in the breach;
- Whether the information is protected by security measures and, if so, the likelihood that these security measures could be overcome; and
- The persons who have obtained or could obtain the information.
If an entity suspects that there has been a data breach but is not certain that it amounts to an "eligible data breach", it must carry out an assessment to determine within 30 days.
Are There Content Requirements for the Data Breach Notice?
In the event of an "eligible data breach" an entity must prepare a statement describing:
- The identity and contact details of the entity (and if the data breach is also a data breach of any other entities, the identity and contact details of those other entities);
- A description of the breach;
- The kind(s) of information affected; and
- Recommendations for steps individuals should take in response.
The entity must provide the statement to the Information Commissioner and notify each relevant individual (if practicable), or otherwise publish the statement on the entity's website and take reasonable steps to publicise the statement.
Are There Exemptions to These Notification Requirements?
An entity that promptly and effectively responds to a data breach through remedial action will not be required to comply with the notification requirements if, as a result of actions taken by the entity, the breach is not likely to, or does not, result in serious harm.
Entities may also apply to the Information Commissioner for an exemption from, or an extension of time to comply with, the notification requirements, and would not be required to comply until the Information Commissioner has decided the application.
What Are the Penalties to Private Companies for Failure to Comply with the Notification Requirements?
Failure to comply can result in affected individuals filing a complaint with the Information Commissioner, prompting an investigation of the company. The Information Commissioner may also investigate without a complaint being made and may issue a determination requiring the company to:
- Compensate such individuals for any loss or damage suffered; or
- Take actions to redress any loss or damage or steps to ensure that an entity's conduct is not repeated or continued.
If the failure to comply with notification requirements is "serious or repeated", companies may be liable for penalties of up to A$1.8 million (A$360,000 for individuals).
- Expect a greater number of reported data breaches following the Commencement Date of Australia's mandatory data breach notification requirements.
- Significant reputational damage to entities related to the publication of data breaches is possible, along with potential for increased litigation concerning significant breaches.
- If an entity suspects there has been a breach, but is not certain that it is an "eligible data breach," the entity must carry out an assessment to make that determination within 30 days.
- The identification of "serious harm"—or its absence—related to a data breach is imperative.
- Entities should minimise the risk of data breaches, while also preparing for mandatory breach notifications. Training and testing can prepare companies to effectively respond to breaches and satisfy the notification obligations.