New Data Breach Requirements in Australia
News reports of computer hackers breaking into the systems of large companies and government organisations to steal customer data and other proprietary information have become common over the past decade. Often, those security breaches have involved the theft of the personal details, passwords, credit card numbers and other sensitive information.
In just the last 18 months, Yahoo, MySpace and Linkedin have each reported data breaches involving more than 100 million of their users.
It is against this background that the Australian government has been working for several years to enact legislation that requires local companies and government entities to notify of data breaches. The result of those efforts was the passage in 2017 of an amendment to the Privacy Act 1988 (which will go into effect on 22 February 2018) requiring companies that suffer a data breach to notify the Office of the Australian Information Commissioner (“OAIC”) and any persons affected by that breach.
In this article, we answer some basic questions about this new addition to the Privacy Act.
Who does the law apply to?
The new data breach provisions apply to ‘entities’ that are subject to the Privacy Act: primarily, specified government agencies and all companies with annual revenues above $3 million, though some companies with revenues less than $3 million, such as those who deal with health-related information and government contracts, are also included.
What does the law require?
There are 2 basic elements of the law: the definition of an “eligible” data breach, and the requirements for when an entity must report an eligible breach.
An “eligible data breach” occurs if there has been unauthorised access to, unauthorised disclosure of, or loss of, personal information from an entity, and that access, disclosure or loss is likely to result in serious harm to the individuals that the personal information relates to. (Note that the Privacy Act defines “personal information” as “information or an opinion about an identified individual, or an individual who is reasonably identifiable” from that information or opinion.)
The term “serious harm” is not defined by the Act. However, it does provide a number of relevant matters that should be taken account of in determining whether there may be serious harm, including the kind and sensitivity of the information involved and the likelihood that the persons who obtained the information would intend to use that information in a harmful manner.
Therefore, an accidental disclosure of a simple list of names by a company to a customer of that company, for example, is less likely to be considered “serious harm” than an unauthorised access by a Russian computer hacker to name, credit card and financial history data. In any case, if even a single person is likely to suffer serious harm, the entity must report the data breach (as follows).
Who must be notified – and how quickly?
The law requires that entities who suspect that a data breach has occurred must “carry out a reasonable and expeditious assessment” within 30 days of becoming aware of the breach to determine if it qualifies as an “eligible” breach. If the breach is deemed “eligible”, the entity must disclose the breach to the OAIC “as soon as practicable”. The notice must include the grounds on which the entity believes the breach to be “eligible”, the kinds of information involved, and the steps the entity will recommend to affected individuals in response to the breach.
At the same time the OAIC is notified, the entity must provide the same notice to the affected individuals directly or, if such direct notice is not possible, publish the notice on the entity’s website and take reasonable steps to publicise the notice (i.e. press release, media advertising, etc.).
What are the penalties for a failure to comply with the new requirements?
Failure to comply with the new data breach requirements is deemed by the Privacy Act to be an “interference with the privacy of an individual”, which is the term the Act uses for a breach of any of the Australian Privacy Principles.
Where there is such a failure to comply, affected individuals can file a complaint with the OAIC, prompting an investigation. Alternatively, the OAIC can investigate a data breach on its own initiative. In either case, the OAIC can issue a determination requiring the non-compliant entity to, among other things, compensate affected individuals for any loss or damage they have suffered, or take actions to ensure the entity’s conduct is not repeated or continued.
Where the failure to comply with the new data breach requirements is “serious or repeated”, entities may be liable for up to $2.1 million in penalties ($420,000 for individuals).
Are there resources available to assist with the new data breach law?
The OAIC provides more detail about the new law on its website at www.oaic.gov.au, as well as a series of guides for securing personal information and responding to a data breach, including “Data breach notification – a guide to handling personal information security breaches” and “Guide to developing a data breach response plan”.
Linchpin® Liability limited by a scheme approved under Professional Standards Legislation.