Australia: Mandatory data breach notification obligations become law in Australia – issues for franchisors to consider

On 13 February 2017 the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) was passed by the Federal Parliament. The Bill received Royal Assent on 22 February 2017 and will take effect from 22 February 2018, unless an earlier commencement date is proclaimed. The Bill amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce a new obligation for the occurrence of an "eligible data breach" to be notified to the Australian Privacy Commissioner and to affected individuals.

Mandatory data breach notification obligations

Once the provisions of the Bill come into effect, entities that are required to comply with the Privacy Act will become subject to mandatory data breach notification obligations. Entities that must comply with the Privacy Act include private sector organisations with an annual turnover of more than $3 million, so many franchisors will be required to comply with the new data breach notification obligations. If one company in a corporate group has an annual turnover of more than $3 million, then all of the companies in that corporate group are required to comply with the Privacy Act and will become subject to mandatory data breach notification obligations.

Organisations will be required to:

• make an assessment of whether an eligible data breach has occurred within 30 days of becoming aware that there are reasonable grounds to suspect there may have been an eligible data breach; and
• if an organisation is aware that there are reasonable grounds to believe there has been an eligible data breach, prepare a statement that contains:
• • the identity and contact details of the organisation;
  • a description of the eligible data breach;
  • the kinds of information affected; and
  • the organisation's recommendations for the steps that affected individuals should take.

The statement must then be provided to the Australian Privacy Commissioner and notified to each of the individuals to whom the affected information relates or who are at risk from the eligible data breach. If it is not practicable to directly notify the affected individuals, then the statement must be published on the organisation's website.

What is an eligible data breach?

For the purpose of these notification obligations, an "eligible data breach" occurs where:

• there is unauthorised access to, or unauthorised disclosure of, personal information held by the entity, or personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
• a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

The Bill sets out a range of factors that an organisation is required to have regard to in assessing whether the access or disclosure would be likely to result in serious harm. The factors include the kinds of information affected and its sensitivity, whether a security measure (such as encryption) was applied in relation to that data and the nature of the potential harm.

However, where remedial action has been taken and a reasonable person would conclude that the taking of the remedial action would mean that there is unlikely to be any serious harm to any affected individuals, then the data breach notification obligations in the Bill would not apply.

The Privacy Commissioner

The Privacy Commissioner has the power to require an organisation to comply with and follow the data breach process if the Privacy Commissioner is aware that there are reasonable grounds to believe there has been an eligible data breach in relation to that organisation. The Privacy Commissioner also has the power to declare that an organisation does not have to comply with these notification obligations or extend the time for compliance with those obligations.

Information held outside Australia

The Bill also expands the mandatory data breach notification obligations to some circumstances where the personal information that is the subject of the data breach is held by a service provider outside Australia. Where an organisation in Australia has disclosed personal information to an offshore recipient under a contract (which is permissible under the Privacy Act, provided that the contract contains sufficient privacy protections), an eligible data breach that occurs offshore in relation to that transferred personal information is deemed to be an eligible data breach that affects the organisation in Australia. For example, this would mean that the obligation to notify of a data breach would extend to circumstances where an Australian organisation holds personal information in a cloud computing service that is hosted from outside Australia.

Failure to comply

A failure to notify an eligible data breach (either when required by the relevant provision of the Privacy Act, as amended by the Bill, or when the organisation is directed to do so by the Privacy Commissioner) is deemed to be an interference with the privacy of the individuals affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.

Where the failure to notify the eligible data breach amounts to a serious or repeated interference with privacy, the Privacy Commissioner also has the power to seek civil penalty orders of up to $360,000 in the case of individuals and up to $1.8 million in the case of bodies corporate.

Preparing for the introduction of mandatory data breach notification obligations

As the provisions of the Bill will come into effect on 22 February 2018 (unless an earlier commencement date is proclaimed), affected franchisors should begin preparing to comply with these obligations now. In addition, franchisors may wish to consider developing a data breach response plan for wider use across their franchisee network, as the impact of a data breach could have a significant impact on the entire franchise network's brand and reputation.

Steps that franchisors could take to reduce their risk profile include:

• preparing a data breach response plan that sets out all of the relevant people or teams to be contacted (e.g. legal, public relations, IT and security) and the procedures to be followed in the event of a data breach (including assessing whether the data breach notification obligations would apply);
• reviewing existing contracts with IT suppliers, to ensure that those contracts require the supplier to notify the franchisor if the supplier suffers a data breach, and seeking to amend any contracts that do not sufficiently address privacy and data security issues and risks. Privacy and data security issues should also be a key area for consideration in any new contracts with IT suppliers;
• creating a 'data map' of the systems and geographical locations where the franchisor stores or holds its data and using this data map to undertake a risk assessment of the franchisor's IT systems and any external systems used by the entity to store its data (including highlighting any offshore storage locations);
• reviewing its existing insurance policies and considering whether it might be appropriate to obtain additional cyber liability insurance;
• undertaking training for franchisees about cyber risk issues and good IT security practices, such as implementing virus scanning software and ensuring that IT systems and software are fully patched and up to date; and
• reviewing franchise agreements and operations manuals to ensure that franchisees are obliged to notify the franchisor of the occurrence of a data breach affecting a franchisee and requiring the franchisee to co-ordinate its response with the franchisor, including implementing any network-wide data breach response plan that may have been put into place by the franchisor.

Norton Rose Fulbright has substantial experience in developing data breach response plans and advising on cyber risk issues. Norton Rose Fulbright has developed two fixed price cyber-risk management packages to address these issues.

In addition, Norton Rose Fulbright offers a global 24/7 incident response service for cyber-incidents (including data breach and network interruption). As 'breach coach', we work with you to provide a streamlined response by assessing the size and nature of the incident, taking steps to contain it, and co-ordinating our panel of carefully selected third party vendors of remedial and protective services, all the while managing stakeholders' interests and advising on mitigation of potential losses.