Get Ready – 2018 is set to be the year for mandatory reporting of data breaches
Until now, data breach reporting in Australia has been largely voluntary. While regulated entities have been legally obligated to take reasonable steps to maintain the security of personal information held, there has been no obligation to notify individuals if their personal information is compromised.
A lack of awareness of such breaches has hindered individuals from taking preventative action against crimes and identity theft by, for instance, cancelling credit cards or changing passwords. With incidents of identity theft and crime continuing to rise at an alarming rate, and stolen data—including PayPal and credit card account details and bank login credentials—being made available for sale on dark web marketplaces, data breach is now considered to be a widespread issue and seriously impacting individuals, businesses and government agencies.
Finally though, after many years of stops and starts, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) passed the Senate on 13 February 2017 and received assent on 22 February 2018. The reforms amend the Privacy Act 1988 (Cth) (Privacy Act) to impose mandatory data breach notification on Australian Privacy Principle (APP) entities when there has been an eligible data breach. Failure to comply exposes entities to penalties, including fines of $360,000 for individuals and $1.8 million for organisations. We look at the changes the legislation introduces and the implications of these changes for APP entities.
State government organisations, local councils and organisations with an annual turnover of less than $3 million are exempt from the Privacy Act. However, mandatory reporting applies to:
- Australian government agencies
- businesses and not-for-profit organisations with an annual turnover of more than $3 million
- private sector health services providers (including alternative medicine practices, gyms and weight loss clinics, which fall under this category)
- child care centres, private schools and private tertiary education institutions
- businesses that sell or purchase personal information along with credit reporting bodies
- some smaller organisations, such as those that handle health data, and
- individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.
Data breaches occur where there is:
- unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (affected individuals), or
- where personal information of affected individuals is lost in circumstances that may give rise to unauthorised access or unauthorised disclosure.
- Data breaches may be caused by malicious intentional actions, such as a serious cyber security incident, accidental loss, loss from negligence or loss from improper disclosure.
Eligible data breaches
- The mandatory reporting provisions apply where a reasonable person would conclude that there is a likely risk of serious harm to any affected individual as a result of the data breach.
- Serious harm in the context of the reporting requirements may include serious physical, psychological, emotional, economic, reputational and financial harm, as well as any other form of serious harm that the breach could cause to the affected person
An APP entity that suspects or is aware of an eligible data breach must conduct a reasonable and expeditious assessment of the circumstances. Once a breach is determined, the APP entity must notify the Privacy Commissioner, other relevant regulators (such as APRA) and affected individuals as soon as possible. This assessment must take place within 30 days of becoming aware of the eligible breach.
The contents of the notification must include:
- identification and contact details of the entity
- a description of the serious data breach
- the kind/s of information conceived, and
- recommended steps that affected individuals should take in response to the serious data breach.
Outsourcing and third party service arrangements
An APP entity that discloses personal information to an overseas recipient will remain accountable for an offshore eligible data breach, even if the APP entity is not itself responsible for the offshore breach. The entity will be required to comply with the reporting requirements as if it was itself holding the information at the time of the eligible breach.
If more than one entity jointly and simultaneously holds the same particular record of personal information, an eligible data breach may give rise to each entity having reporting obligations. This means that in an outsourcing or shared services arrangement—where one entity may store personal information in an online platform provided by another entity—both entities are “holding” the information in line with the definition under s 6(i) of the Privacy Act and have mandatory reporting obligations.
Implications for APP entities
The reforms require an immediate review of privacy programs and protocols to accommodate the new requirements and ensure compliance with:
- identifying eligible data breaches
- the investigation process—it must be carried out and completed in the required time frame and all the required information collected
- the allocation of responsibility for investigations and the determination of the breach in terms of severity and reporting requirements
- briefing all outsourced and service providers to implement suitable oversight and required investigation processes when a breach takes place
- the review and possible modification of all service contracts to determine the right of the APP entity to audit compliance with the reforms
- the review of third party processing and storage arrangements to determine the waterfall effect and, in particular, the contracts that use offshore labour (i.e. call centres and claims centres) or where information is stored and held offshore, to determine if contract amendments are required, and
- identification of risks and documenting the processes for managing global companies, such as platform providers and cloud providers, who may share storage and therefore hold personal information on behalf the company.