Privacy legislation requiring notification of data
breaches will shortly become federal law.
On 19 October 2016, the Commonwealth Minister for Justice,
Michael Keenan outlined to Parliament the rationale for the
legislation requiring a compulsory notification scheme:
receiving notification of the breach can allow that person
to take action to protect themselves from harm.
While the Privacy Amendment (Notifiable Data Breaches) Bill 2016
will only apply to the personal information of individuals, it will
have significant practical implications for contractual
relationships and corporate data security. Here's why:
Notified data breaches to become instant public
news. Not only will the person affected vent their
displeasure on social media and via company and media comments
pages, but breaches will be reported in the mass media and recorded
for perpetuity online.
Dedicated privacy and consumer rights organisations will keep
comprehensive and permanent online records of
reported privacy breaches. A good example that will undoubtedly be
copied in Australia is the database maintained by the Privacy
Rights Clearinghouse: https://www.privacyrights.org/data-breaches
Your contractual counterparties will know
about the breach and will be concerned about whether their
confidential information has been breached.
The consequences for organisations that are the subject of cyber
breaches are potentially very serious. For example, many standard
form confidentiality agreements require counterparties to:
notify the other party of any possible or actual
breach of confidentiality; take all reasonable
steps required to prevent or stop the breach at the
Recipient's request; assist the other party in
connection with any action or investigation regarding any possible
or actual unauthorised disclosure. Some confidentiality or
non-disclosure agreements may also require that the breaching party
indemnify the loss caused by the unauthorised
More sophisticated contracts, particularly in the technology and
telecommunications industries now include specific cyber security
provisions, requiring immediate notification on
becoming aware of any breach or potential breach (which is usually
defined to include the detection of any malicious code or
disruption to services). This is frequently backed up by
requirements for suppliers to provide security reports and allow
security audits from time to time.
It's an understatement that it would be difficult to comply
with such obligations in the immediate aftermath of a data breach.
Yet, contractual compliance will require notifying contractual
counterparties as part of the first response to learning of a data
Most organisations aren't in a position to handle such an
issue in a sophisticated way, and much of the focus has been on
responding to privacy obligations and personal information. Data
breaches will require a co-ordinated B2C and B2B response. The
publicity and brand damage associated with the B2C response is a
serious enough matter, but the failure to observe B2B contractual
obligations could leave a company facing major litigation
(including class actions if enough counterparties are affected),
terminated contracts and a lack of commercial confidence that could
Managing the contractual obligations in the public sphere can
only be done against the background of an organisation having a
corporate road map and
executing on a clear plan. Executing successfully on that plan
and being able to communicate an appropriate response to a breach
is also the only realistic response an organisation can have to an
online record tracking each reported breach.
Responding to contractual counterparties on the other hand will
require a separate but equally important plan for response. There
is clearly the potential for cyber breaches to cause significant
contractual liability, and the effects of public disclosures and
contractual notification obligations need careful thought, in
advance of any breach occurring.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Chambers Asia Pacific Awards 2016 Winner
Client Service Award
Employer of Choice for Gender Equality
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Being able to determine whether information is personal information is a critical threshold issue for privacy compliance.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).