Data security breaches have been on the rise for many years now, with governments and regulators responding in many ways. One element of the response is to require organisations who experience a data security breach to notify relevant regulators and, most importantly, the people whose data has been compromised.
In a previous edition of Red Tape, we canvassed a broad range of legal issues associated with cyber security incidents. SEC Chair Mary-Jo White has recently described cybersecurity as the biggest risk facing the financial system. China has also recognised the importance of cybersecurity to national security, and is in the process of reforming its cybersecurity laws, as reported last year. In late May 2016, Hong Kong’s banking regulator launched a “Cybersecurity Fortification Initiative”, following a blight of recent regional and local scandals involving banks.
In this article, we look at recent developments in the EU and Australia in relation to one of those legal issues, namely data breach notification laws.
Mandatory data security breach reporting laws have been in place in the United States of America for many years now. Canada, Korea and, more recently, South Africa also have enacted such laws. In the EU, the requirement currently applies only to businesses in certain sectors (electronic communications providers). Breach reporting in Hong Kong is not strictly required under law, but is expected under guidelines issued by both the Privacy Commissioner for Personal Data and by financial regulators.
European Union – 72 hour notification
One of the most significant recent developments has been the adoption of the General Data Protection Regulation (GDPR) by the European Union. On 4 May 2016, the European Parliament and the European Council published the GDPR in the Official Journal of the European Union. This has been the final step of a legislative process spanning over five years. The GDPR will enter into force on 25 May 2018.
The GDPR contains an obligation to notify:
- the relevant data protection supervisory authority of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (Article 33); and
- the data subject without undue delay “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (Article 34).
If an organisation considers that there is not such a high risk, the supervisory authority will have the power to require the organisation to notify data subjects if it disagrees. If an organisation fails to notify, it may be liable to an administrative fine of up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(4)) (for certain other breaches of the GDPR, the fine can be up €20 million or 4% of total worldwide turnover). This is in addition to any liability that the organisation may have to affected individuals.
Based on our experience, we anticipate that many organisations will take the view that it is not feasible to report sensibly to the regulator within 72 hours of becoming aware of a data breach. In many instances, only the basic information about the extent of the breach and the manner in which it occurred will be known within this period.
If the breach is a result of a sophisticated hacker, the hacker will likely have been exploring the organisation’s systems for weeks or months before the organisation became aware of the breach (or part of it). So while obvious causes for the breach will have been identified and contained within the initial 72 hour period, response teams will frequently spend more time assessing whether the hacker has identified other vulnerabilities. This may lead to staggered notifications to the relevant regulator, culminating in a later notification to data subjects once the degree of risk has been more clearly assessed.
We expect that even vigilant regulators will be wary that individuals may experience counter-productive “notification fatigue” if lower risk incidents were routinely notified.
In late 2015, the Australian Government released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill for public consultation. This was against the background of public statements from both of Australia’s main political parties supporting the introduction of data breach notification laws. More than 40 submissions were received (the text of the Bill and the submissions are published here). In April 2016, the government indicated that they intended to introduce a version of the Bill into Parliament. However, they did not do so before Parliament was dissolved for an election (which is underway at the time of writing).
Unlike the EU’s expectation of a 72 hour period in which to notify, the test proposed by the exposure draft of the Australian Bill was to notify “as soon as practicable” after becoming aware that there are reasonable grounds to believe that there has been a serious data breach. Further, the concept of “as soon as practicable” was clarified so as to allow the organisation to carry out a reasonable assessment of whether there are reasonable grounds to believe that a serious data breach has occurred, provided that assessment is carried out within 30 days after becoming aware.
The maximum penalty associated with a failure to notify in Australia is A$1.8 million, which is considerably lower than those in effect under the GDPR.
Due to the Australian election, progress of this bill is now delayed, although both major parties are on the record in supporting legislation of this kind. Accordingly, organisations operating in Australia should be prepared for such laws to be implemented during the next term of government (Australia has a three year election cycle, so the next election will likely be in 2019).
Will increased notification result in class action litigation?
Large scale data breach incidents which have been notified under US law have often led to class action litigation being commenced. However, as a percentage of the total number of reported breaches, the number of class actions is quite low. Various studies have found that approximately 5% of publicly reported breaches resulted in class action litigation.
While some prominent class actions have resulted in substantial damages awards or settlement sums, businesses have had more success defending class action claims in recent years. This can be attributed to the 2013 decision by the US Supreme Court in the Clapper case which raised the barrier by forcing the lead plaintiff to prove that there was a substantial risk that they would suffer an injury or damage as a result of the breach.
The courts have held that mere loss of data, without evidence that it has been viewed or misused, is not an injury sufficient to confer standing. However, not all cases can be defended on this basis, because there are cases in which damage has actually transpired or where a threatened injury is “certainly impending”.