The recent high-profile Sony Playstation incident involving the theft of personal information on a global scale has led to renewed calls in Australia to introduce privacy laws that would require organisations to notify individuals affected by a data breach (ie mandatory breach notifications).
In April 2011, cyber-attackers accessed the personal details of approximately 77 million people worldwide who have accounts on the Sony Playstation Network, including the personal details of more than 1.5 million Australians. The hackers were able to see Sony's internal records containing individuals' names, street addresses, email addresses, birth dates, passwords and, in some cases, credit card details.
In the wake of blanket (and somewhat hysterical) media coverage of the cyber-attack, the Minister for Privacy and Freedom of Information, brendan O'connor announced that "a mandatory system of data breach notification appears necessary in the face of privacy breaches such as those we've seen recently".
The Minister also said that the Federal Government was considering enacting a mandatory disclosure regime as part of its second-stage response to the Australian Law Reform Commission's (ALRC) August 2008 report into Australian privacy law and practice (report). Notably, the report contained a recommendation that the Privacy Act 1988 (Cth) (Privacy Act) should be amended to provide that organisations must notify all individuals affected by any data breach.
THE CURRENT LAW
Australia's privacy laws do not currently impose an explicit requirement for individuals to be notified of data breaches. However, based on the Minister's comments, this may not be too far away.
In our experience, simply because current privacy law does not require breach notification, clients often think that is the end of the story in respect of notifications for data breaches. However, organisations should be mindful that in some cases (and while not obliged to notify individuals) they may be required to notify regulatory or other bodies, including the Australian securities and investments commission (Asic) and the Australian prudential regulatory Authority (APRA), in respect of a data breaches.
DISCLOSURE OF DATA BREACHES TO INDIVIDUALS AFFECTED
There is a variety of Commonwealth, state and territory legislation that regulates the collection, use, disclosure and security of personal information about individuals. For example, organisations that are subject to the Privacy Act are required to take reasonable steps to protect the personal information that they hold from misuse and loss and from unauthorised access, modification or disclosure.
However, as noted, nowhere does the Privacy Act (or the relevant state or territory legislation) currently require an organisation to report a data breach to the affected individuals or to the Office of the Australian Information Commissioner (OAIC). At best, notifying individuals when a breach affects their personal information may, in some circumstances, be considered as a "reasonable step" that forms part of the obligation to keep personal information secure.
In the absence of a mandatory breach notification requirement, the OAIC encourages organisations to comply with the voluntary guidelines set out in its Guide to handling personal information security breaches (guide). The Guide is intended to assist organisations to respond effectively to an information security breach.
The Guide identifies four key steps for organisations to consider when responding to a known or suspected information security breach:
- STEP 1 : contain the breach and do a preliminary assessment.
- STEP 2 : evaluate the risks associated with the breach.
- STEP 3 : consider notification to all affected individuals.
- STEP 4: take measures to prevent future breaches.
In relation to step 3, the guide states that one of the key considerations in determining whether notification to individuals is appropriate is whether notification is necessary to "avoid or mitigate serious harm" to an individual whose personal information has been misused. Factors such as the ability of the individual to take steps to avoid or mitigate possible harm, if notified (such as by changing account passwords), should inform this decision.
DISCLOSURE OF DATA BREACHES TO REGULATORS
Importantly, the Guide also acknowledges that in some circumstances it may be appropriate or necessary to notify third parties, such as the OAIC or the police (if theft or another crime is suspected), in the event of an information security breach.
Regulatory bodies, such as ASIC and APRA, may also need to be notified. In such cases the purpose of the notification is not to enable individuals to avoid or mitigate serious harm, but for the organisation to comply with mandatory notification requirements under the relevant regulations.
ASIC NOTIFICATION REQUIREMENT
An organisation that carries on a financial services business in Australia must hold an Australian Financial Services licence (AFS licence), unless it is covered by an exemption. Unless an AFs licensee organisation is a body regulated by APRA (as to which, see below), under the Corporations Act 2001 (Cth) (Corporations Act) the organisation must have:
- "Adequate technological resources" to provide financial services covered by the licence
- "Adequate risk management systems".
In general, whether an AFS licensee's technological resources or risk management systems are "adequate" depends on matters such as the nature, scale and complexity of the business. However, among other things, ASIC:
- Requires a licensee to have sufficient technological resources to "protect confidential and other information"
- Expects that a licensee's risk management systems will establish and maintain controls designed to manage or mitigate risks faced by the business, including risks that adversely affect consumers, and fully implement and monitor those controls to ensure that they are effective.
An AFS licensee must provide a written report to ASIC as soon as practicable and, no later than i0 business days after becoming aware of a breach (or likely breach) of the above obligations, provided that the breach (or likely breach) is 'significant'. Although the term 'significant' is not defined in the Corporations Act, AFS licensees are required to have regard to a number of factors when deciding whether the breach (or likely breach) is significant. These factors include:
- The extent to which the breach or likely breach indicates that the licensee's arrangements to ensure compliance with its obligations is inadequate
- The actual or potential financial loss to clients of the licensee, or the licensee itself, arising from the breach or likely breach.
In relation to the second factor, ASIC's view is that any breach (or likely breach) that causes actual or potential loss to clients (other than minimal and immaterial loss to a very small number of clients) is significant.
APRA NOTIFICATION REQUIREMENT
Similar considerations and mandatory notification requirements also apply to organisations that are regulated by APRA. For example, APRA requires that the organisations (that APRA regulates) will have clear accountability and communication strategies to limit the impact of IT security incidents (eg data breaches). APRA expects that it will normally be notified by an organisation (that APRA regulates) after the organisation experiences a major security incident.
Organisations should consider, for every data/security breach, whether it is necessary or appropriate to notify ASIC or APRA or the individuals affected in respect of that data/security breach, even though Australia's privacy laws do not currently contain a mandatory breach notification requirement.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com