On 17 October 2012 the Attorney-General’s Department issued a discussion paper seeking views on the introduction of legislation that would mandate the reporting of data security breaches.
Presently in Australia there is no statutory duty to report breaches of personal data security measures, either to the Privacy Commissioner or to affected individuals. It is possible that, in some circumstances, organisations may owe a duty of care to affected individuals to notify them of certain serious breaches of data security, but no case has established such a duty. Some organisations voluntarily report serious breaches of data security to the Privacy Commissioner and to affected individuals. According to the discussion paper, the Commissioner received reports of 56 data breaches in the 2010-11 financial year and opened investigations into 59 breaches that were not notified.
Mandatory data security breach legislation was first introduced in the United States in 2003. Now 47 of the 50 states have enacted such legislation. The European Union has enacted a directive that applies to the telecoms sector requiring reporting of data security breaches, and that directive has been implemented in most member states. A European Directive that would impose similar obligations across all sectors of the economy is under active consideration.
Typically, these laws require organisations who have suffered data security breaches to notify a regulator and also the affected individuals. The usual rationale for notifying the affected individuals is to allow them to take “self-help” measures to mitigate their potential losses, such as cancelling their credit card if their credit card details have been compromised by a merchant or payment processor who had retained a copy in their records.
In many data breach scenarios, a large number of individuals are potentially affected. But each of them typically suffers only a small financial loss. Plaintiff law firms in the United States regularly commence class actions within days of the notification of data security breaches, seeking to recover losses on behalf of all affected individuals. Data security breach cases have resulted in some substantial settlements in the United States. For example, card payment processor Heartland Payment Systems, Inc paid settlements of more than US$100m following hackers obtaining access to consumers' credit and debit card account information. Heartland announced its discovery of the security breach on 20 January 2009, and the first class action was filed on 23 January 2009.
If mandatory data security breach reporting was introduced in Australia, it is possible that class actions will be commenced here in such cases. Alternatively, a representative complaint could be pursued before the Privacy Commissioner. Assuming that the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 is enacted substantially in the form in which it has been passed by the House of Representatives, a serious data security breach would, most likely, contravene section 13G of the Privacy Act and, if action was taken by the Privacy Commissioner, the organisation responsible would be exposed to civil penalties of up to A$1.1m.
With the growth of online commerce, the personal data of Australians is increasingly being held outside Australia. One of the key issues for any Australian legislation will be the extent to which it would apply to organisations that do not carry on business in Australia but nevertheless transact with Australian individuals. Would the Australian legislation apply if there was a breach of security at a data centre outside Australia operated by a business that did not have any place of presence or agents in Australia? If so, would it apply only to the extent that the breach affected Australian residents? Surprisingly, these are not among the questions posed by the discussion paper.
The paper does raise other threshold questions, such as:
- how serious must the breach be before it is reportable?
- who should be notified about the breach (Privacy Commissioner and affected individuals) and in what order?
- who decides whether the breach is to be reported to affected individuals?
- in what timeframe should the notice be given?
- what information should the notice contain?
- what penalty or sanction should be available if an organisation fails to notify when required to do so?
The passage of mandatory data security breach legislation in Australia, coupled with the new enforcement powers for the Privacy Commissioner contained in the Enhancing Privacy Bill, has the potential to result in far more serious consequences for organisations doing business in Australia than has been the case since privacy laws were extended into the private sector in 2001.
Submissions responding to the discussion paper are due on 23 November 2012.