On 22 February 2018, Australia’s new Notifiable Data Breach Regime will come into effect, introducing mandatory data breach notification obligations for all organisations subject to Australia’s Privacy Act 1988 (Cth).
The regime is set to have a significant impact on an organisation’s approach to cyber security, because it requires regulated entities to:
- conduct an assessment into a security incident if it has reasonable grounds to suspect that an ‘eligible data breach’ occurred; and
- notify the Privacy Commissioner and affected individuals if it has reasonable grounds to believe that it suffered an ‘eligible data breach’.
These obligations under the new regime must be read together with an entity’s security obligations under the Privacy Act 1988 (Cth). In particular, Australian Privacy Principle (APP) 11.1 requires entities to take reasonable steps to ensure the security of personal information.
In this article, we provide a detailed overview of the key terms and requirements of the new Notifiable Data Breach Regime, including a high level overview of the legislation, the factors to consider when assessing whether a data breach is an ‘eligible data breach’ and a handy checklist with the steps that your organisation should take to prepare for the new laws.
Who and what does the Notifiable Data Breach Regime apply to?
Whether the Notifiable Data Breach Regime applies depends on the entity involved in the data breach, and the information it holds.
For the Notifiable Data Breach Regime to apply, an entity must fall into one of the following categories:
- APP entities (as defined in the Privacy Act). These include organisations with an annual turnover of over $3 million, certain a small businesses (e.g. one that provides a health service, or performs work as a government contractor), overseas organisations with an ‘Australian link’ (i.e. that carries on business in Australia, or collects/holds personal information in Australia) and Commonwealth agencies.
- Regulated credit reporting bodies. These are organisations or agencies that collect/use information to determine credit worthiness.
- Regulated credit providers (e.g. banks or other credit providers)
- Regulated file number recipients (entities that hold tax file number information).
Note: The Notifiable Data Breach Regime can apply to APP entities and credit providers even if they disclose information overseas, and no longer hold the information. APP entities are deemed to hold the personal information they disclose to an overseas recipients if APP 8.1 applies. Credit providers are deemed to hold the credit eligibility information they disclose to overseas recipients under sections 21G(3)(b)-(c) or 21M of the Privacy Act.
The Notifiable Data Breach Regime applies if the data involved in a breach is:
- personal information held by an APP entity;
- credit reporting information held by a credit reporting body;
- credit eligibility information held by a credit provider; or
- Tax File Number (TFN) information held by a file number recipient.
If the data involved is not one of the above four types (e.g. confidential company information or de-identified information), the Notifiable Data Breach Regime will not apply, but other obligations may (e.g. contractual or disclosure obligations to the ASX).
What is an ‘eligible data breach’?
A data breach occurs if there is unauthorised access to, unauthorised disclosure of, or loss of information (e.g. personal information). However, the Notifiable Data Breach Regime does not impose obligations on all types of data breaches.
For the regime to apply, a data breach must be an ‘eligible data breach’. A data breach is only an eligible data breach if a reasonable person would conclude that it is likely that an affected individual would suffer serious harm because of the breach.
‘Likely’ means more probable than not (rather than a possibility), under the judgment of a reasonable person in the entity’s position. ‘Serious harm’ includes physical, psychological, emotional, financial and reputational harm (being upset is insufficient). Three main factors affect whether harm is serious:
- the type(s) of information involved;
- the circumstances of the breach; and
- the nature of harm that might arise.
Entities need to consider each of the above three factors carefully when determining whether a breach is an eligible data breach. Some examples of eligible data breaches include:
- sending an data file containing sensitive information to the wrong recipient, without taking prompt remedial action;
- leaving a non-password protected phone containing sensitive personal information on a train; or
- accidental online publication by a debt collector of a person’s name.
A data breach would not be considered an eligible data breach if the data is protected to a high standard. For example, if a company holding credit card information (encrypted to a high standard) is subject to a cyber-attack, the breach would not be an eligible data breach.
Notification requirements under the new regime
Under the new regime, you need to check whether you ‘suspect’ that a breach has occurred, or whether you ‘believe’ that a breach has occurred. What you need to do to meet your notification requirements differs greatly depending on whether you ‘suspect’ or ‘believe’ that a breach has occurred.
Reasonable grounds to suspect
Under the new regime, when an entity has reasonable grounds to suspect that there has been an eligible data breach, it must take reasonable steps to confirm:
- whether there was a data breach; and
- if so, whether the data breach is sufficiently serious (i.e. is it an eligible data breach?).
An entity will have reasonable grounds to suspect if there is information to suggest that a data breach may have occurred, but cannot confirm:
- whether a breach actually occurred; or
- how likely it is that the breach would result in serious harm to any affected individuals.
For example, if an entity receives an isolated complaint about a data breach (as opposed to multiple complaints from different users), the OAIC considers that there are reasonable grounds to suspect, but not yet have reasonable grounds to believe that a data breach occurred.
A self-assessment must be completed by the entity within 30 days. The OAIC sees this 30 day time period as the maximum time limit, and suggests entities complete their assessment in a much shorter time frame.
Reasonable grounds to believe
An entity will have reasonable grounds to believe that an eligible data breach occurred if it is actually aware that personal information has been accessed.
Under the new regime, when an entity has reasonable grounds to believe that an eligible data breach occurred, it must, as soon as practicable after forming that belief:
- Provide the OAIC with a written statement outlining the nature and extent of the data breach. This statement must contain certain details set out in the legislation. The OAIC intends to publish a form on its website that covers all this information.
- Notify affected individuals about the breach. An entity can choose how to communicate with individuals (e.g. by phone, email, SMS etc.), provided that the method of communication is reasonable. If a breach affects a wide range of individuals, and not all are at risk of suffering serious harm, the entity can choose whether to notify all affected individuals, or only a subset – the individuals at risk of suffering serious harm. If direct notification is impractical, the entity must publish a copy of the OAIC notice on its website, and take reasonable steps to publicise the notice.
Direction to notify by the OAIC
The OAIC may also give written notice to entities directing them to notify the OAIC or affected individuals if it is aware of reasonable grounds to believe that there has been an eligible data breach.
This can occur if the OAIC is notified about the breach before the entity, or if the OAIC disagrees with the entity’s assessment of the seriousness of the breach.
Before requiring entities to notify, the OAIC will first invite the entity to make submissions about the breach. These submissions will be considered by the OAIC, so the entity may wish to argue that notification is not required, or only required to a limited extent.
Exceptions to notification under the new regime
There are some limited exceptions to the notification requirements set out above. These occur when:
- notification would be inconsistent with secrecy provisions (applies to both self-assessed notification and OAIC-directed notification);
- notification would prejudice law enforcement activities (applies to both self-assessed notification and OAIC-directed notification);
- remedial action was taken such that the breach is not an eligible data breach (applies to self-assessed notification only);
- another entity affected by the same data breach already notified (applies to self-directed notification only); and
- the OAIC has declared that notification is not required (applies to self-directed notification only).
Enforcement of the notification requirements under the new regime
Failure to comply with the assessment or notification obligations is considered an interference with the privacy of an individual. This means that the OAIC may impose fines of up to $420,000 for individuals, or $2.1 million for organisations for serious or repeated interferences with privacy. Notification may also lead to an increased number of privacy complaints, and OAIC determinations awarding compensation.
The new Notifiable Data Breach Regime: A preparatory checklist
In order to help prepare your organisation for the new Notifiable Data Breach Regime, we recommend that you take the following steps:
- Conduct an information security audit.
- Establish a data breach response team.
- Update and test your data breach response plan.
- Update your internal cyber security policies and train staff.
- Review your key contracts with third party service providers.
The below checklist provides greater detail about what to consider in relation to each of these five steps and may assist you in your preparation for the new regime.
1. Have you conducted an information security audit?
An Information Security Audit will help you identify information risks, and how to strengthen your cyber security.
Three things to consider as part of your audit are:
1. Your data situation:
2. Your current cyber security measures:
3. The cyber security risks:
4. Check coverage of your cyber insurance policy.
2. Do you have a data breach response team?
It is important to react quickly in the event of a breach. To this end, we recommend establishing a data breach. This team should have:
3. Have you updated and tested your data breach response plan?
A data breach response plan sets out the processes that need to be followed internally when there is a data breach. At a minimum, it should:
Once you have a data breach response plan, we recommend conducting a ‘data breach drill’ – test your plan, see how it would work in practice, and make any necessary improvements.
4. Have you updated your internal policies and organised staff training?
With the introduction of mandatory data breach notification, it is now more important than ever that board members and staff are made aware of your organisation’s cyber security policies and procedures.
Some key things to educate your staff on include:
This information should be clearly communicated to employees through staff training session and internal organisation-wide updates. Prepare a ‘Key Takeaways’ document for all your staff so they know what to do if they come across a cyber issue.
5. Have you reviewed your contracts with third parties?
Where a third party stores or has access to your data, it may be necessary to review the relevant contracts to ensure that:
Finally, contracts should allocate responsibility for a data breach, including setting out who will pay the costs for investigating and remediating a breach, and for paying any potential penalties.