Data breaches are becoming as lucrative as the global drug
trade. Massive data breaches are almost a daily occurrence. The
Privacy Rights Clearinghouse reports that in the first eight months
of 2015 there were 120 million personal records breached globally.
This is up from 70 million for the full year of 2014.
Against this backdrop, a recent survey of boards by North
Carolina University found that cyber breach was in the top three
risks concerning directors. Anecdotally we know the same is true of
boards in Australia.
The draft Privacy Amendment (Notification of Serious Data
Breaches) Bill 2015 is set to take this fear to a whole new level.
The recently released Bill will require notifications to be sent to
individuals whose personal information may have been exposed in a
Currently there is no legal obligation to notify a person if
their information has been compromised. This new notification
scheme will apply to any company that is currently subject to the
Privacy Act. In general, any company that has an annual turnover of
more than $3 million will therefore be subject to the notification
Some commentators have questioned whether the $3 million
threshold is appropriate. The government has to balance protecting
the public's privacy with concerns from Australia's 2
million small businesses about excessive compliance costs. In that
regard the $3 million threshold seems appropriate.
Presumably the logic is that it will generally be the large
companies that collect the most personal information and therefore
will have the greatest effect on the public if they suffer a data
breach. It is also worth noting that small businesses have always
been exempt from the Privacy Act, so it is consistent that the
notification scheme should not apply to them.
What is the threshold for notification under the Draft
A company will need to make a notification if it is aware, or
importantly, if it ought to have been aware, that there are
reasonable grounds to believe that it has suffered a serious data
breach. A serious data breach is considered to be one where there
is a "real risk of serious harm" to any of the
individuals whose information has been the subject of the
Determining exactly what constitutes a real risk of serious harm
is not easy. Many data breaches cause little or no direct harm to
individuals. The Explanatory Memorandum to the draft Bill gives
some guidance as to what would constitute a "real risk of
However, until there is some court consideration of the term it
will be potentially quite a complicated decision for a company to
make as to whether or not to notify.
What does a board need to do to be ready?
Assuming that the draft Bill passes parliament in its current
form, companies will have 12 months from enactment to get ready.
Companies will need every moment of that 12 months to prepare.
The draft Bill gives companies 30 days in which to conduct an
assessment as to whether a serious data breach has occurred. If a
notification is required, a detailed notice must be sent to the
In order to comply, a lot of background work needs to take place
quickly. For example, IT forensics need to be engaged,
notifications need to be drafted, PR engaged and call centres spun
up to deal with customer enquiries.
Companies should ensure that they have a well-tested data breach
response procedure in place so that they can meet the 30 day
Companies should also start to think now about cyber insurance.
The losses from a cyber attack (including the cost of
notifications) can be significant and cyber insurance can help to
mitigate the risk.
These policies are becoming more common but care should be taken
to read the fine print as the exclusions can often render the
policies of limited value.
The draft Bill should be seen as a wakeup call. Companies need
to be taking steps now to defend against cyber attacks and to be
prepared to respond appropriately if breached.
We know that when the US introduced mandatory data breach
notification laws, the number of reported data breaches jumped
exponentially. There were 110 breaches notified to the Office of
the Australian Information Commissioner in 2015. It is possible
that we could see an increase of many times this number when this
legislation takes effect.
Submissions on the draft Bill are due by 4 March, 2016.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).