Last week was a big week in cyber-security, with both Kmart and
David Jones notifying the public that they had experienced external
data breaches in relation to their online customer database. The
retail giants were quick to point out that no credit card or other
financial data of their customers had been exposed.
Both companies appeared to quickly contain any further breaches
and to notify those affected. Whilst the companies say there is no
indication that the data has been misused, when an unauthorised
third party has accessed data questions do spring to mind as to
motivation. This factor would presumably have gone to the
companies' assessment regarding the 'real risk of serious
harm', a trigger point for notification of affected individuals
under the Australian Privacy Principles (APPs).
It is currently voluntary to notify the Office of the Australian
Information Commissioner (OAIC) if an organisation experiences a
data breach, but the Government has indicated that it would
legislate to mandate this requirement by the end of 2015 if the
breach presented a real risk of serious harm to the affected
Whilst the benefits of notification must always to be weighed
against the commercial risks, some benefits of notification or
disclosure of the breach include the following:
Trust and transparency: affected customers of
Kmart and David Jones were contacted by email in close proximity to
the event occurring, presumably leading these customers to think
that the organisations were treating the event as a priority.
Reduce risk for further harm: by notifying
affected customers, the individuals (and therefore the
organisations) have the ability to prevent risk of further harm.
For example, the David Jones notification warns customers to be
vigilant to unsolicited requests for their personal information
that appear to come from David Jones. Conversely, if individuals
were not notified in similar situations and therefore did not take
steps to prevent further disclosure that could otherwise have been
taken, the organisation may have faced greater liability under the
Possibility of lighter penalties (than if OAIC finds out
by alternate means): it is not surprising that the OAIC,
responsible for investigating data breaches and potentially handing
out fines of up to $1.7 million, may look favourably upon
organisations who acted quickly and transparently in relation to
reporting of data breaches. Both companies reported to the OAIC in
this case, a step consistent with their also notifying affected
individuals (who may in turn complain to the OAIC).
Ultimately, the scenario of each data breach will be different
and careful consideration needs to be given towards ascertaining
the risk of harm to affected individuals and hence the need to
notify. Buy-in is needed at management level to ensure the decision
is well understood by the organisation and response plans are in
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).