At some stage, you will be the victim of a data breach. The consequence of a data breach could be that the personal information of your clients is exploited. According to data collected by Gemalto in its Breach Level Index (BLI), there were 974 data breaches worldwide in the first half of 2016, up 15% from the previous six months. Of those incidents. 29 affected more than one million records. Perhaps what is most disturbing is that Australia had five and half times the number of data breaches of China.
In response to these increasing threats government, business and the not for profit sector are expected to take reasonable steps to protect the personal information of customers. Government agencies and businesses governed by the Privacy Act will soon be required to notify any individuals affected by a data breach that it is likely to result in serious harm. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) passed the Senate on 13 February 2016 and received assent on 22 February 2017. The effect of the changes are that the Privacy Act 1988 (Cth) (Privacy Act) will now impose mandatory data breach notification requirements on entities when there has been an 'eligible data breach'.
Don't ignore this development as significant penalties including fines of up to AUD$360,000 for individuals and AUD$1.8 million for organisations can be imposed.
Do these changes apply to you?
If you are an APP entity ie you are bound to comply with the Australian Privacy Principles, then mandatory reporting applies to you. Entities include:
- government agencies
- businesses with an annual turnover of more than $3 million
- not-for-profit organisations with an annual turnover of more than $3 million
- private sector health services
- private schools
- private tertiary education institutions
- businesses that sell or purchase personal information
- individuals who handle personal information, including those who handle credit reporting information, tax file numbers and health records.
So what is an eligible data breach?
An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Who and what must you notify?
In the event of an eligible breach you must notify:
- the Office of the Information Commissioner (the Commissioner); and
- the at-risk individual/s.
You will be obligated to set out:
- your contact details;
- the nature of the breach; and
- steps you recommend to affected individuals take in response.
When must you notify?
An entity must give a notification if:
- it has reasonable grounds to believe that an eligible data breach has happened; or
- it is directed to do so by the Commissioner.
Does the legislation go far enough? Does it go too far? I expect there will be a compliance burden on a number of sectors but much will depend on how the words 'likely' and 'serious harm' are interpreted.
It will be interesting to see what steps are taken by the government and regulators with respect to those most vulnerable in our community including children, who may not be equipped to take advantage of the warnings provided. One step at a time ......
The other burning question to me as an insurance lawyer is how will the insurance market respond to these changes? Some cyber policies presently offer cover for fines and penalties. When those policies were written one would assume that the cover was contemplated to be in relation to breaches reported to the Commissioner of the Australian Privacy Principles. Typically, those types of fines and penalties were small in monetary value. Over the next two years the insurance industry will need to keep a close eye on the enforcement of the amendment. Premiums for Cyber insurance are likely to increase, but maybe the value clients demand from these policies will increase too.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.