Data Goes Missing - Who You Gonna Call?

Key Point

• Although there are no requirements to notify affected individuals now, there could be some very soon.

While agencies and organisations must take reasonable steps to protect the data they hold, they are not obliged to inform anyone if there is a breach in their data security. This could change however, as both the Australian Law Reform Commission and the Privacy Commissioner look at introducing mandatory and voluntary guidelines for data breach notification.

In this article we'll sketch out the main features of both proposals, and see what the overseas position is.

What is data breach?

A "breach of information security" occurs when an agency's or organisation's information security is breached and personal information is exposed to unauthorised access, use, disclosure or modification. An affected individual may suffer harm including financial harm (eg. identity theft or fraud), humiliation, damage to reputation or relationships and loss of business or employment opportunities. In the US third parties such as credit card associations and banks have suffered harm in remediating identity thefts and unwinding unauthorised transactions and have sued the organisation which suffered the security breach.

ALRC's proposed data breach notification model

The Australian Law Reform Commission (ALRC) discussed introducing data breach notification requirements in its Discussion Paper on a "Review of Australian Privacy Law". It recommended mandatory notification where there is:

• an unauthorised acquisition of specified personal information; and

• the business/agency or the Office of the Privacy Commissioner (OPC) believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

Along with this came some exceptions to the obligation to notify:

• where personal information was encrypted adequately;

• good faith acquisition of personal information by the agency or organisation for a proper purpose; or

• where notification is not in the public interest.

The breach notification should:

• contain a description of the breach, type of personal information disclosed, assessment of the risk of identity fraud and contact information for affected individuals;

• be communicated by the ordinary method of communication with customers (although a substituted notice could be used where approved by the OPC); and

• be communicated as soon as reasonable practicable (with delay being allowed for law enforcement purposes).

The ALRC proposed that failure to comply with the proposed Data Breach Notification provisions may attract a civil penalty. There might also be a civil action for breach of statutory duty in failing to notify.

A mandatory Data Breach Notification requirement is supported by Special Minister of State John Faulkner. The ALRC's final report will be tabled in Parliament in late August and it is believed the report confirms the Data Breach Notification recommendation. While legislative change may be some time away, there seems however to be strong support from the Government to introduce mandatory Data Breach Notification requirements on agencies and organisations.

What about voluntary notification?

In April 2008, the OPC released a draft voluntary notification guide for information security breaches. It recommended that an agency or business should consider whether to notify affected individuals. Relevant factors would include the risk of serious harm to the individual, the ability of the individual to avoid or mitigate possible harm if notified and the legal and contractual obligations involved.

The OPC recommended the following types of information to be included in a notification:

• incident description;

• type of personal information involved;

• response to the breach;

• assistance offered to affected individuals;

• other information sources to protect against identity theft or interference with privacy;

• agency/organisation contact details;

• whether breach notified to regulator; and

• how individuals can lodge a complaint with the Privacy Commissioner.

The US position

In the US, all financial institutions are subject to Data Breach Notification requirements set out in the Interagency Guidance on Response Programs for Unauthorised Access to Customer Information and Customer Notices (US Interagency Guidance). Financial institutions must implement a response program to unauthorised access to, or use of customer information that could result in substantial harm or inconvenience to a customer. The US Interagency Guidance does not apply to other organisations or federal or state government agencies.

At the State level, there are currently 43 US states with data breach notification legislation. California was the first US state to require mandatory data breach notification. While many states have followed the Californian model, some US states have varied the Californian model slightly.

Organisations that own or licence computerised data that includes personal information are subject to differing data breach notification requirements depending on the state they conduct their business in. In some states this will apply to a state government agency. A person that maintains computerised data that includes personal information is only required to notify and co-operate with the owner or the licensee of the information.

Other overseas jurisdictions

Mandatory data breach notification laws are also being considered in the European Union, Canada, the United Kingdom and New Zealand, and the Privacy Commissioners from the last three have also released voluntary guides for data breach notification.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.