Cyber attacks and data breaches are the top business risk in Australia according to Aon's 2023 Global Risk Management Survey.
In the first of this four-part series, Special Counsel John Bennett explores the risk considerations. Later articles in this series address how you can minimise the risks with data breaches and deal with the fallout when personal information is compromised.
The obligation for businesses to protect personal information
Under the Privacy Act, personal information is information about an individual who is reasonably identifiable. Examples include names, addresses, phone numbers, photographs, bank account and credit card details, creditworthiness, health information, religious beliefs, ancestry and criminal records. Businesses may collect personal information through credit or bank account applications, credit card payments, employment recruiting processes and CCTV footage.
Through cyber attacks criminals and hostile foreign entities may seize personal information for identity theft, embezzlement, fraud, business disruption and damage to national security. Australian Governments have combatted these threats for decades through various statutes.1
Australian Privacy Principle (APP) 11 imposes security of personal information obligations on businesses which hold personal information. Under this principle, APP entities must take reasonable steps to protect personal information they hold from misuse, interference and loss; and from unauthorised access, modification or disclosure.2 Among other things, the principle aims to address attacks on computer systems.3
APP entities include businesses which aren't small business operators.4 However, the Commonwealth Attorney-General has recommended removing the small business exemption and the Australian Government has agreed to this in principle.
What is a data breach?
A data breach occurs when there has been unauthorised access to or disclosure of personal information or where that information has been lost.5 A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.6 Examples include loss or theft of devices or records, unauthorised access by employees, inadvertent disclosure due to 'human error' (such as sending an email to the wrong person) and disclosure of an individual's personal information to a scammer due to inadequate identity verification procedures.7
Risks brought to light in the Optus data breach
Optus experienced a data breach between 17 and 20 September 2022 which affected millions of its customers. The Federal Court has already provided several interlocutory judgments on this data breach.8 Remarkably, the affidavit evidence from Optus' company secretary outlined the various concerns for Optus when it learned about the data breach. These concerns are largely the same for any business.
Civil penalties
A chief concern is significant civil penalties. The Privacy Act imposes penalties for entities that do an act, or engage in a practice, that is seriously interferes with an individual's privacy.9 Individuals face a $2,500,000 civil penalty for this.10 Businesses risk a penalty of at least $50,000,000.11 Further civil penalties may also come into play through other legislation including the Competition and Consumer Act.
Intrusive regulatory investigations
The Optus company secretary considered a range of potential investigations from the Office of the Australian Information Commissioner (OAIC), ACCC, ASIC, Telecommunications Industry Ombudsman, and even parliamentary inquiry or Royal Commission. The OAIC12 deserves special mention.
In the context of data breaches, the Privacy Act empowers the OAIC to investigate complaints about acts or practices that may interfere with an individual's privacy.13 Following a complaint, the OAIC may, during their inquiries, obtain information from any person or source they think fit.14 The OAIC can also examine witnesses under oath or affirmation, and direct persons to attend compulsory conference.15
Following the investigation, the OAIC may determine whether the complaint is substantiated and the individual's privacy has been interfered with.16 The declaration may state that the complainant is entitled to compensation and require the respondent to take specified steps, perform reasonable acts or courses of conduct to redress loss or damage, and publish communications about the conduct.17 These determinations (including entitlement to compensation) are enforceable by Court order.18
Failures to cooperate during investigations are punishable by infringement notices.19 It is also a criminal offence to fail to attend before the OAIC or to provide required sworn or affirmed evidence during the investigation.20 Finally, the OAIC may enforce provisions of the Privacy Act through undertakings and injunctions.21
Private litigants
The Optus company secretary turned their mind to class actions. The potential claimants on any business include customers, employees and shareholders. Potential claims from customers and employees include breach of contract, breach of confidence, negligence and misleading or deceptive conduct. These parties may seek damages for distress of their personal information being disclosed, and for the cost and time associated with addressing the consequences. Shareholders may sue over a breach of a listed company's continuous disclosure obligations and claim loss related to a share price drop.
Reputational damage
Reputational and brand damage from a data breach can hurt your business. Once the public knew about the Optus cyber attack, Optus call centres and the office of the chief executive officer received numerous customer complaints. The cyber attack was a hot media topic and the Albanese Government singled out Optus for a breach 'on an unprecedented scale in Australia...that should never have happened'.
For more information, please contact Coleman Greig's Privacy and Data Protection lawyers.
Footnotes
1 See for example Privacy Act 1988
(Cth), Crimes Legislation Amendment Act 1989 (Cth),
Cybercrime Act 2001 (Cth), Spam Act 2003 (Cth),
Privacy Amendment (Enhancing Privacy Protection) Act 2012
(Cth), and Privacy Amendment (Notifiable Data Breaches) Act
2017 (Cth).
2 Privacy Act 1988 (Cth) ss 14 and 15 and sch
1.
3 Explanatory Memorandum, Privacy Amendment (Enhancing
Privacy Protection) Bill 2012 (Cth) 86.
4 Privacy Act 1988 (Cth) ss 6(1) and
6C(1).
5 Explanatory Memorandum, Privacy Amendment (Notifiable
Data Breaches) Bill 2016 (Cth) 3 [7].
6 Office of the Australian Information Commissioner,
Data breach preparation and response A guide to managing data
breaches in accordance with the Privacy Act 1988 (Cth)
8.
7 Ibid.
8 Singtel Pty Ltd v Robertson [2024] FCAFC 58
and Robertson v Singtel Optus Pty Ltd [2023] FCA
1392.
9 Privacy Act 1988 (Cth) s 13G(1).
10 Privacy Act 1988 (Cth) s 13G(2).
11 Privacy Act 1988 (Cth) s 13G(3).
12 Established by Australian Information
Commissioner Act 2010 (Cth) s 5(1).
13 Privacy Act 1988 (Cth) ss 36, 38 and
40.
14 Privacy Act 1988 (Cth) ss 31, 40A, 41,
43
15 Privacy Act 1988 (Cth) ss 44, 45 and
46.
16 Privacy Act 1988 (Cth) s 52(1).
17 Privacy Act 1988 (Cth) s 52.
18 Privacy Act 1988 (Cth) ss 55A and 60.
19 Privacy Act 1988 (Cth) ss 66 and 80UB.
20 Privacy Act 1988 (Cth) s 65.
21 Privacy Act 1988 (Cth) ss 80V and
80W.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.