The Situation: The Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Data Breach Bill) on 13 February 2017. The Data Breach Bill introduces mandatory requirements to notify the Australian Information Commissioner and affected individuals of "eligible data breaches".
Looking Ahead: Once these requirements take effect, there will likely be an increase in the number of reported data breaches and a potential increase in litigation commenced against entities involved in a breach.
Australia's Data Breach Bill amends the Privacy Act 1988 (Cth) ("Privacy Act") and requires private and public organisations regulated by the Privacy Act to notify affected individuals and the Australian Information Commissioner of "eligible data breaches". The requirements take effect on 23 February 2018 or an earlier date determined by Proclamation of the Governor-General of Australia ("Commencement Date").
The notification requirements apply in the event of unauthorised access or disclosure, or loss of information, that occurs on or after the Commencement Date. Organisations affected by these requirements should ensure they have introduced appropriate practices, procedures and systems to comply with the notification obligations once they come into effect.
Background to the Data Breach Bill
Australia did not have a mandatory data breach notification scheme prior to the Data Breach Bill (with the exception of eHealth data breaches). Notification of data breaches to the Information Commissioner and affected individuals was voluntary (and will continue to be until the Data Breach Bill takes effect).
Mandatory data breach notification is intended to provide affected individuals with notice after a breach so that they may take action to protect themselves against potential harms related to the breach, e.g., by changing online passwords or cancelling credit cards. The Bill also aligns Australia with other jurisdictions that have mandated data breach notification schemes.
What Entities Must Comply with the Notification Requirements?
Entities covered by the breach notification requirements under the Privacy Act include:
- Private sector organisations (individuals, bodies corporate, partnerships, unincorporated associations or trusts) formed in Australia, conducting business in Australia or collecting personal information from individuals located in Australia that have, or are related bodies of an entity that has, an annual turnover of more than A$3 million;
- Australian government agencies; and
- Credit providers (e.g., a bank or an organisation issuing credit cards).
Any entity that discloses personal information to a recipient located outside of Australia (and is not exempted from Australian Privacy Principle 8.1) will be considered the holder of that information and is required to notify the Information Commissioner and affected individuals if there is an "eligible data breach" of the information.
When are Entities Required to Notify a Data Breach?
An entity must notify the Information Commissioner and affected individuals once it has reasonable grounds to believe there is an "eligible data breach," which occurs when:
- There is unauthorised access to, or disclosure of, information, and a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates; or
- Information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, information is likely to occur and, if it did occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Entities must consider whether it is likely that the data breach result in serious harm to any of the relevant individuals—as long as one individual is likely to suffer serious harm, the entity will be required to notify the data breach.
Are There Content Requirements for the Data Breach Notice?
In the event of an "eligible data breach" an entity must prepare a statement describing:
- The identity and contact details of the entity (and if the data breach is also a data breach of any other entities, the identity and contact details of those other entities);
- A description of the breach;
- The kind(s) of information affected; and
- Recommendations for steps individuals should take in response.
The entity must provide the statement to the Information Commissioner and each relevant individual (if practicable), or otherwise publish the statement on the entity's website and take reasonable steps to publicise the statement.
Are There Exemptions to These Notification Requirements?
An entity that promptly and effectively responds to a data breach through remedial action will not be required to comply with the notification requirements if, as a result of actions taken by the entity, the breach is not likely to, or does not, result in serious harm.
Entities may also apply to the Information Commissioner for an exemption from, or an extension of time to comply with, the notification requirements, and would not be required to comply until the Information Commissioner has decided the application.
What Are the Penalties to Private Companies for Failure to Comply with the Notification Requirements?
Failure to comply can result in affected individuals filing a complaint with the Information Commissioner, prompting an investigation of the company. The Information Commissioner may also investigate without a complaint being made and may issue a determination requiring the company to:
- Compensate such individuals for any loss or damage suffered; or
- Take actions to redress any loss or damage or steps to ensure that an entity's conduct is not repeated or continued.
If the failure to comply with notification requirements is "serious or repeated", companies may be liable for penalties of up to A$1.8 million (A$360,000 for individuals).
FIVE KEY TAKEAWAYS
- Entities will be required to notify the Information Commissioner and affected individuals of data breaches that are likely to result in "serious harm".
- Expect a greater number of reported data breaches following the Commencement Date of Australia's mandatory data breach notification requirements.
- If an entity suspects there has been a breach but is not certain that it is an "eligible data breach", the entity must carry out an assessment to make that determination within 30 days.
- Consistent with other jurisdictions, there is a real potential for increased litigation concerning significant publicised breaches. This includes actions for failing to report a breach and class action litigation from a class of individuals who were affected by the data breach. Early notification of breaches will assist claimants in identifying the type of claim to be made and the affected class of individuals.
- Entities should prepare for mandatory data breach notification by reviewing and strengthening security systems, processes, policies and procedures. Entities should also introduce policies and systems to review data breaches, implement remedial action and assess whether (and what form of) notification is required. Breach preparedness, training, and testing (e.g. table top exercises) is also recommended.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.