Australian businesses can no longer keep quiet about cyber security breaches, with Parliament passing laws mandating their disclosure. On 13 February 2017, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, set to receive royal assent. Finally bringing Australia into line with other countries globally, the new rules will take effect within 12 months, giving businesses limited time to prepare for compliance with the new legislation.
The Amendment Act amends the Privacy Act 1988 (the Privacy Act) to introduce mandatory data breach notification requirements for Commonwealth government agencies, private sector organisations and specific other entities (including credit reporting bodies and recipients of tax file number information) that are regulated by the Privacy Act.
In the 2016 Federal Budget, the Australian Government announced how it intended to fund its new Cyber Safety Strategy package, with funding aimed at assisting those businesses who traditionally hadn't focussed on cyber security as a priority. The question then for mid-size businesses, in particular, was how the proposed measures would actually assist them, and whether it's enough. The introduction of this new legislation only adds to the pressure on businesses to ensure adequate compliance.
When do you need to notify?
The threshold for notification under the new Act will be more onerous than most other global jurisdictions, with the test based on whether the breach "is likely to result" in serious harm to an affected individual.
Presently, there is no mandatory requirement for an organisation that is the victim of a cyber-attack to inform the Office of the Australian Information Commissioner (OAIC) or affected individuals following a data breach involving personal information. The Privacy Act, however, already requires businesses that hold personal information to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure, which includes where a business engages third parties to store personal information. Present predictions by the OAIC suggest that the new mandatory requirements for notification will double the number of reported incidents each year.
What do you need to notify?
Now is the time to get compliance ready.
Within 12 months, you will be required to report a cyber breach captured by the Act to the OAIC and to affected individuals as soon as practicable, identifying the breach, the type of information that was disclosed and recommendations about the steps individuals should take in response to the breach. For notifying individuals affected, you will also need to publish a notification online and take reasonable steps to notify all affected individuals.
A failure to report or notify individuals may require you to make a formal public apology and pay compensation to any affected individuals and large civil penalties could also apply for serious or repeated non-compliance with mandatory notification requirements.
Ensuring you are protected from a serious data breach
The Cyber Safety Strategy package announced as part of last year's Federal Budget was applauded for bringing to the table a cyber security health check scheme for the public and private sector. It was noted at the time however, that the onus would always be on businesses to step up and play their own role in fighting cybercrime, particularly in those industries that operate critical infrastructure. This new legislation brings that responsibility into sharp focus.
A factor that will be taken into account when considering whether a notifiable data breach has occurred is whether the information was protected by appropriate security measures.
Ensuring you have in place an appropriate data breach response plan will be also be critical over the coming 12 months. You should also consider negotiating insurance to cover cybercrime risks, particularly in relation to covering costs arising from loss of goodwill and reputational harm as well as attributable to negligent data security (which are often exclusions under existing policies).
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.