Last week was a big week in cyber-security, with both Kmart and David Jones notifying the public that they had experienced external data breaches in relation to their online customer database. The retail giants were quick to point out that no credit card or other financial data of their customers had been exposed.
Both companies appeared to quickly contain any further breaches and to notify those affected. Whilst the companies say there is no indication that the data has been misused, when an unauthorised third party has accessed data questions do spring to mind as to motivation. This factor would presumably have gone to the companies' assessment regarding the 'real risk of serious harm', a trigger point for notification of affected individuals under the Australian Privacy Principles (APPs).
It is currently voluntary to notify the Office of the Australian Information Commissioner (OAIC) if an organisation experiences a data breach, but the Government has indicated that it would legislate to mandate this requirement by the end of 2015 if the breach presented a real risk of serious harm to the affected individuals.
Whilst the benefits of notification must always to be weighed against the commercial risks, some benefits of notification or disclosure of the breach include the following:
Trust and transparency: affected customers of Kmart and David Jones were contacted by email in close proximity to the event occurring, presumably leading these customers to think that the organisations were treating the event as a priority.
Reduce risk for further harm: by notifying affected customers, the individuals (and therefore the organisations) have the ability to prevent risk of further harm. For example, the David Jones notification warns customers to be vigilant to unsolicited requests for their personal information that appear to come from David Jones. Conversely, if individuals were not notified in similar situations and therefore did not take steps to prevent further disclosure that could otherwise have been taken, the organisation may have faced greater liability under the APPs.
Possibility of lighter penalties (than if OAIC finds out by alternate means): it is not surprising that the OAIC, responsible for investigating data breaches and potentially handing out fines of up to $1.7 million, may look favourably upon organisations who acted quickly and transparently in relation to reporting of data breaches. Both companies reported to the OAIC in this case, a step consistent with their also notifying affected individuals (who may in turn complain to the OAIC).
Ultimately, the scenario of each data breach will be different and careful consideration needs to be given towards ascertaining the risk of harm to affected individuals and hence the need to notify. Buy-in is needed at management level to ensure the decision is well understood by the organisation and response plans are in place.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
