The Australian daily deals website, Catch of the Day, experienced a cyber attack whereby encrypted passwords and user information were taken from its database
The hacking occurred in 2011. Three years later, Catch of the Day notified the national privacy regulator, the Office of the Australian Information Commissioner (OAIC) and informed customers of the data breach. The OAIC expressed concern about the significant delay in notifying affected individuals of the incident. However, Catch of the Day was not penalised.
Under the Privacy Act, organisations with an annual turnover above $3m (APP entities), are required to minimise the likelihood that personal information in their possession is compromised. Specifically, Australian Privacy Principle (APP) 11 requires an APP entity to take active measures to ensure the security of the personal information it holds. In some circumstances, this may include notifying individuals when the security of their personal information has been breached in order to minimise the potential misuse of the information. Despite this obligation, many organisations do not notify affected individuals on becoming aware of security breaches – even where sensitive information is released and significant harm may result.
Many businesses experiencing a security breach may be reluctant to notify those affected given the potential damage to the brand. The costs associated with repairing the business’s reputation are likely to outweigh any penalties which may be imposed by the OAIC. Furthermore, the likelihood of actually being investigated by the OAIC and having significant penalties imposed is slim. It appears that the OAIC has a major backlog of privacy matters to determine - the OAIC is still making findings under the previous privacy legislation which was replaced in March 2014.
In addition to the current security requirements under APP 11, it is likely that APP entities will legally be required to notify affected individuals of unauthorised access to, or disclosure of, their personal information under a mandatory data breach notification regime. Under the current Serious Data Breach Notification Bill, the OAIC and affected individuals will need to be notified within 30 days if there are reasonable grounds to believe that a serious data breach has occurred. A “serious data breach” is one that involves a real risk of serious harm to the individual to whom the information relates.
Public comments on the draft Bill have been released and, according to the Attorney General’s department, the legislation is to be introduced this year. It remains to be seen whether a mandatory notification regime will encourage organisations to implement appropriate safeguards to minimise the likelihood of unauthorised access or disclosure. Hopefully however, it will prevent entities waiting three years before reporting a breach.