In February 2017, the Australian Federal Parliament passed legislation to amend[1] Australia’s privacy law to introduce a mandatory data breach notification regime. The new regime, once implemented, will require agencies and organisations subject to Australia’s Privacy Act 1988 (Cth) to notify data subjects and regulators in the event of an eligible data breach.

Mandatory notification laws have had significant repercussions in other global jurisdictions, introducing previously unheard of costs and consequences for companies when security events occur. With a more open and transparent approach to laws governing the handling of data comes an increased expectation from consumers and stakeholders as to the handling and security of data. In other jurisdictions, mandatory notification has resulted over time in more regulatory investigations, complaints and litigation brought by consumers and stakeholders.

The passage of the first breach notification law in the United States in 2003 had an immediate impact on a company's exposure after a security event. Suddenly, companies had to formally investigate potential security events under strict deadlines and publicly disclose these events if they impacted personally identifiable information. As you can imagine, it did not take very long for the plaintiff attorneys to begin filing class action lawsuits against companies after they disclosed a breach event. In addition, within a few years, regulators began actively investigating breach events. Interestingly, many of the lawsuits and regulatory investigations focus on how the company responded to the breach event, contending that the company did not have a proper plan in place and/or did not notify the public of the incident quickly enough, rather than on how the breach occurred.

- Christina Terplan, Partner Clyde & Co San Francisco

Australia’s new regime will take effect from 23 February 2018 (or an earlier date as chosen by the Minister), but smart businesses are preparing now. Mandatory notification laws require organisations to carefully consider the practical issues that arise in responding to a data breach, and the unique crisis management challenges that these events can cause. They require close coordination between an organisation’s management, risk and IT teams, as well as the internal and external legal and communications teams, to effectively and efficiently investigate, triage and manage the breach.

This article looks briefly at the new laws, and the key first steps an organisation should take in addressing these new challenges. Over the coming year, we will look more closely at different aspects of the new laws and as to how organisations can work to ensure compliance.

The new laws at a glance

By way of short summary, the key points to note from the new laws are as follows:

  • The notification regime will apply to all organisations which are APP entities under the Privacy Act 1988 (Cth) as well as other entities including credit providers, credit reporting bodies and file number recipients.

  • The trigger for notification to the Office of the Australian Information Commissioner (OAIC) is an "eligible data breach" which means a breach where:

    • there is unauthorised access to, or unauthorised disclosure of, information; or

    • information is lost in circumstances where unauthorised access or disclosure is likely to occur; and

    • a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.

  • "Harm" can include physical, psychological, emotional, and financial harm.

  • Factors to be considered in determining whether a breach is likely to result in serious harm include the kind and sensitivity of the information, the security measures in place to protect the information and who is likely to have obtained the information.

  • If an entity is unsure whether an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment and take no longer than 30 days to make this determination.

  • Once it has been confirmed that an eligible data breach has occurred, an entity must:

    • prepare a prescribed statement and provide a copy to the OAIC as soon as practicable after becoming aware of the occurence of an eligible data breach; and

    • if it is practicable to do so, take reasonable steps to notify the contents of the statement to individuals to whom the information relates, or to those at risk from the eligible data breach. If neither option applies, the statement should be published on the organisation's website and reasonable steps taken to publicise the contents of the statement. This must be done as soon as practicable following completion of the statement.

  • There are a number of exceptions to the notification laws, which apply in particular circumstances. These exceptions include: where remedial action is taken before harm is caused; where a data breach impacts multiple entities; where the breach is notifiable under section 75 of the My Health Records Act 2012 (Cth); where notification may prejudice enforcement related activities; or where notification is inconsistent with Government secrecy provisions.

  • Failure to comply with the notification regime is considered an "interference with the privacy of an individual" under the Privacy Act 1988 (Cth) which can currently result in fines of up to AUD 1.8 million.

This "serious harm" requirement is intended to avoid the problem of excessive notifications which could arguably place an unreasonable compliance burden on regulated entities and contribute to notification fatigue. Assessing whether serious harm is likely to result from a breach will be a key challenge for organisations under the legislation and will require entities to quickly determine the scale and type of records compromised by a security incident, to identify all of the actors who were involved in the incident, and to understand and assess how the personal information that has been compromised could be misused; for example to commit financial fraud, identity fraud, or cause harm to individuals.

Similarly, assessing what a "reasonable person" would conclude, as to whether serious harm is "likely" will be a challenge for businesses, particularly in a breach scenario where time will be of the essence.

The OAIC is expected to release, later this year, guidance for the industry as to the various concepts and trigger tests under the new laws, and we will provide additional guidance on these and other issues later in the year.

Where to start and how to prepare

A. Know your data

Effective data management requires knowledge as to what data is captured and held within an organisation. In an age where data regularly sits across a number of systems, platforms and mediums, it is an essential first step to consider what data you capture and hold and as to what your legal and regulatory obligations are relating to that data.

So, consider the data you collect and as to who it relates to. Where does the data sit in your organisation, and how it is managed – who is responsible for its collection, storage, security and destruction? What information might sit on systems? Do you need the data to be held in fully identifiable form or can it be destroyed or deidentified? Data is no different to any other asset which must be considered, audited and assessed so as to set out an effective management strategy.

B. Incident response plan

Key to the effective management of any incident is an incident response plan. Even before the introduction of the mandatory notification regime, the OAIC expected to see a pre-prepared and considered plan being used in the management of a data breach.

The new regime in Australia requires swift action to be taken to determine if an incident is an eligible data breach and, if so, what notification to regulators and other parties is required. Now, with a 30 day timeframe within which to assess whether an incident is an ‘eligible data breach’, the need for an efficient plan is all the more apparent.

An effective plan should form part of an organisation’s broader data management and governance plan, and should set out how an organisation will respond to a breach including, at a minimum:

  1. How incidents are identified – who has oversight over the coalface, and how are incidents reported internally?

  2. How the response team is determined and called – who plays a part in the response team and do they know their role?

  3. How incidents are to be assessed as ‘eligible data breaches’ – who takes charge and how do the various internal stakeholders (legal, risk, IT, communications etc) work together to assess and consider the risk of harm?

  4. How cyber insurance will support the organisation’s incident response (including the way notifications are to be made under the policy) and the process for providing breach response services included in the cover?

  5. How third party experts are engaged – what external experts are required and are they on call?

  6. How the investigation is documented – who is recording the steps taken and compiling a report, and does it need to be privileged? Click here to view our recent article on preserving privilege.

  7. How the plan is tested – who is responsible for ongoing monitoring, testing and auditing of the plan?

C. Staff awareness and training

Regular staff training is a key strategy organisations have adopted to minimise the risk of data breaches. Training should provide an overview of the risks associated with handling particular data sets, including the damage that may be caused due to any mishandling of that data, and the key steps in an organisation’s incident response plan that are relevant to the staff member.

Training will vary dependent on seniority and roles within an organisation – but all levels, from those customer facing staff through to the board of directors, should be aware of the changing regime and the need to be alert to data incidents and data breaches on an ongoing basis.