On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 received Royal Assent, giving the green light to the commencement of the long-awaited mandatory data breach reporting regime in Australia. The Bill that was passed is available from here.
Under the new requirements, entities that are bound by the Privacy Act 1988 (Privacy Act), known as "APP entities", will be obliged to notify the Privacy Commissioner and affected customers of any "eligible data breach" as soon as practicable after becoming aware of the occurrence. Where an APP entity merely suspects that its data has been breached, it will have 30 days to conduct an investigation before it must report.
In this eBulletin we look at what makes an "eligible breach" and what you should do if your business is bound by the Privacy Act.
What is an "eligible data breach"?
A "data breach" occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure, or other misuse or interference. A data breach is an "eligible data breach" where "a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure".
The Explanatory Memorandum to the Bill states that "likely" means "more probable than not", and that the "serious harm" can extend to "serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation".
How should an APP entity respond to an eligible data breach?
There are four key steps that an APP entity should take in response to an eligible data breach. These are:
- contain the breach and conduct a preliminary assessment;
- evaluate the risks associated with the breach;
- notify the Privacy Commissioner and affected individuals; and
- prevent future breaches.
A notification of an eligible data breach must:
- identify the entity and provide up-to-date contact details;
- provide a description of the data breach;
- detail the information that was subject to the breach; and
- make recommendations about the steps that individuals should take in light of the breach.
Where it is impracticable to notify individual customers of an eligible data breach, an entity must publish the above details on its website, and take reasonable steps to publicise the details.
As mentioned above, the affected individuals should be notified as soon as reasonably possible after the entity becomes aware, or ought reasonably to have become aware, of the breach. If an assessment is necessary to determine whether an eligible data breach has occurred, a maximum time frame of 30 days is allowed under the new requirements in which the entity must take all reasonable steps to complete the assessment of the possible breach. However, the Explanatory Memorandum explains that this 30-day period is not a hard deadline, as in some instances it may not be possible to complete the assessment due to complexities or the nature of the breach.
What are the consequences of failing to report eligible data breaches?
Failure to comply with the new breach notification laws will constitute an interference with the privacy of an individual under the Privacy Act. This triggers the powers of the Privacy Commissioner to investigate, make determinations and provide remedies for non-compliance with the Privacy Act. The Commissioner can instigate a range of consequences from public apologies, compensation payments and, for serious breaches or repeat offenders, civil penalties. Civil penalties are currently $360,000 for individuals and $1.8 million for body corporates.
When do the requirements commence?
The new requirements will commence by 22 February 2018 unless an earlier date is fixed by proclamation.
What should you do if you are an APP entity?
APP entities should develop processes for detecting, containing and managing data breaches, including a detailed data breach response plan. In addition, APP entities should consider whether cyber insurance policies can assist with reducing the risk associated with a cyber incident. For APP entities that already have cyber insurance in place, we recommend that they ensure they are familiar with any conditions of their policy that dictate the steps they should take in response to a covered event. Acting otherwise than in accordance with the policy terms may entitle the insurer to reduce amounts payable under the policy to the extent the insurer's interests have been prejudiced.
Although updated guidance will be provided by the Office of the Australian Information Commissioner in due course, there are currently two guides available which set out a best practice model. These are: