In the context of an ever increasing number of reported data breaches, both locally and internationally, some of which have attracted very significant media interest1, the Federal Government has responded by proposing the introduction of legislation that would create a mandatory data breach notification scheme for both Government agencies and most businesses with over $3 million in annual turnover.
An exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) has been released for public comment. Submissions are due by 4 March 2016.
Although mandatory data breach notification laws have been on the table for some years, the immediate impetus for legislative reform is the February 2015 inquiry of the Parliamentary Joint Committee on Intelligence and Security, which recommended that such laws be introduced. At the moment the regulator, the Office of the Australian Information Commissioner (OAIC), administers a voluntary breach notification scheme. The OAIC received 100 voluntary data breach notifications in 2014-15, up from 67 notifications in 2013-14 and 51 in 2012-13. Currently, mandatory data breach notification is only required in the event of unauthorised access to eHealth information under the My Health Records Act 2012 (Cth).
The proposed Bill is based on recommendations of the Australian Law Reform Commission (ALRC). Chapter 51 of the ALRC’s 2008 report, entitled ‘For your Information: Australian Privacy Law and Practice’, dealt with data breach notification. The ALRC noted that a data breach could occur notwithstanding an agency or businesses’ compliance with the Privacy Act 1988 (Cth) where, for example, its website had been hacked. Accordingly, the principal purpose of data breach notification laws is not punitive but to enable individuals affected by serious data breaches to take remedial steps to avoid potential adverse consequences, such as financial loss or identity theft by, for example, cancelling credit cards or changing online passwords.
How the proposed scheme works
The proposed Bill amends the Privacy Act. The existing scope of the Privacy Act is considerable. The Act applies to Government agencies as well as most businesses with an annual turnover of over $3 million.2 In addition, the Act has extra-territorial operation, extending to acts done or practices engaged in by entities beyond the territorial limits of Australia, on the proviso there is an ‘Australian link’3.
The key element of the proposed Bill is the requirement that entities report what is termed a ‘Serious Data Breach’. A Serious Data Breach must not only be reported where it is known to have occurred; it must also be reported where the entity has reasonable grounds to believe that such a breach has occurred.
A Serious Data Breach is an instance where the following circumstances create a real risk of serious harm:
- unauthorised access to, or unauthorised disclosure of information;
- information is lost making unauthorised access or disclosure likely; or
- information is lost and, as a result, unauthorised access or disclosure of information may occur.
Relevant information which is lost, accessed or disclosed without authorisation includes personal information, credit reporting information, credit eligibility information and tax file number information. This includes information or an opinion about an identifiable individual, information relating to that individual, information relating to their credit history or any information held by a credit reporting body that relates to an individual or which is disclosed by a credit reporting body to a credit provider. It also includes a recording of the tax file number of a person where that recording connects the number to the identity of the individual.
In order to be considered a Serious Data Breach, the loss or unauthorised access must create a ‘real risk’ of serious harm, where ‘real risk’ is defined as a risk which is not remote.
The risk of harm is defined broadly to include physical, psychological, emotional, economic, and financial damage to an individual’s reputation.
If a Serious Data Breach (or potential breach) is identified, the entity is required to publish a report that incorporates:
- a description of the Serious Data Breach;
- the information or nature of the information concerned;
- recommendations that individuals need to take to protect themselves from consequences of the Breach; and
- contact details for the entity.
The report must be published to the OAIC, each individual whose personal information is concerned as well as on the entity’s website. Reasonable steps are required to publicise the contents of the report.
If an entity is unsure whether a Serious Data Breach has occurred, they have 30 days within which to undertake an assessment of the situation. If, after undertaking an assessment, the entity has reasonable grounds to believe that a Serious Data Breach has occurred, they must publish a report.
The proposed consequences for non-compliance with the mandatory reporting requirements are, consistent with existing provisions of the Privacy Act. If the OAIC believes that an entity has not complied with the mandatory reporting requirements, or a complaint is made concerning this, the Commission has broad powers to investigate and thereafter make recommendations. Recommendations might include that steps be taken within a specified timeframe to remedy any non-compliance. The recommendations are potentially enforceable by order of the Federal Court or Federal Circuit Court.
Individuals who suffer harm as a result of a Serious Data Breach would only have a limited right to recover compensation under the Privacy Act. Although sections 25 and 25A of the Privacy Act confer a right to claim compensation, there is a carve out for contraventions that amount to an ‘interference with the privacy of an individual’4 - the proposed Bill provides that an entity which breaches the mandatory reporting requirements has engaged in a contravention of this type. In other words, unless an entity additionally contravenes another section of the Act5 it is doubtful whether affected individuals would have a statutory right to seek compensation.
Consistent with existing provisions of the Privacy Act, where an entity breaches its mandatory reporting requirements, the OAIC may apply to the Federal Court or Federal Circuit Court for an order that the entity pay a pecuniary penalty. This could result in the entity (in the case of a body corporate) being liable for a civil penalty of up to $1.8 million, in addition to costs of the proceeding.
Although the legislation is likely to have widespread public support, the Australian Chamber of Commerce and Industry has recently stated that its preference is for a scheme of self-regulation through industry codes6.
It is likely that at this point in time, the Bill will be introduced and passed in substantially the same form as the exposure draft. It has been widely reported that the Bill has bipartisan support7. Accordingly, going forwards, Government agencies and affected businesses should, in anticipation of the passage of the legislation, review the adequacy of their cyber security and cyber resilience plans.8
Affected businesses should also review the need for a cyber-risk insurance policy, and discuss this with their insurance broker. Such policies are now widely available in the Australian market and, among other things, typically provide cover for fines and penalties following data security breaches.