We all know that technology is continually developing. That development has resulted in vast amounts of personal information being collected and stored digitally by organisations. With that comes an increased risk of cyber threat. In the last financial year, organisations were affected up to hundreds of times a day through spear phishing emails alone.[1] Yet, few organisations’ security procedures are as sophisticated as they ought to be, and there are gaps where workplace practices are out of step with the technical controls in place. For example, organisations have embraced practices that offer greater workplace flexibility, such as using personal devices at work or working remotely from home; yet significantly fewer of these organisations have mobile device management systems to manage these risks. A recent survey of Law Society members revealed that 11% of lawyers do not have basic anti-virus protection on their laptop, only 27% had anti-virus protection on their smartphones, and 41% did not know what measures they had deployed on their smartphones.[2]  Against this backdrop, most legal practitioners regularly access work emails (which inherently contain confidential information) on their phones.

It goes without saying, therefore, that investment in cyber security is an investment that makes sense.  The reasons for doing so speak for themselves, and include protection of your own and your client’s data, the prevention of loss of productivity (through downtime or outages), and prevention of reputational loss. While it may be costly and time consuming to ensure adequate security measures are in place, the cost of a breach can far exceed prevention costs. The total cost of cyber-attacks in Australia in the previous financial year was $280 billion.[3] Just recently, it was announced that Uber suffered a data breach in October 2016. Two individuals downloaded information from a third-party cloud server which contained the names, email addresses and mobile phone numbers of 57 million Uber users worldwide. Uber paid the hackers $132,000 to delete the information, and did not notify the people affected, rather concealed the breach from the public (until the breach hit the news in November 2017).[4]

The Act

It is against this background that the Privacy Amendment (Notifiable Breaches) Act 2017 (the Act) was born. The purpose of the Act is twofold: (1) to give individuals the opportunity to change or re-secure their personal information (for example, by changing passwords or closing accounts); and (2) to encourage businesses to improve their security practices. The Act amends the Privacy Act 1988 (Cth) by introducing a mandatory data breach notification scheme.

Who will be subject to the Scheme?

Organisations that are already subject to the Privacy Act, known as ‘APP entities’. These include credit reporting bodies and credit providers (including super funds), tax file number recipients, private health service providers and some private sector and not for profit organisations.

Small businesses with an annual turnover of less than $3 million will be exempt. 

When is the requirement to notify triggered?

APP entities are required to notify the Office of the Australian Information Commissioner (OAIC) and any relevant individual as soon as practicable where there are reasonable grounds to believe that an “eligible data breach” has occurred.

A “data breach” occurs where personal information is lost or subjected to unauthorised access or disclosure. Examples of data breaches can include when a device containing customers’ personal information (which could include employee’s mobile phones) is lost or stolen, a database containing personal information is hacked, returning equipment to a lessor without deleting personal information or even sending personal information out to an incorrect address.

A “data breach” is elevated to an “eligible data breach” where a reasonable person would conclude that the access or disclosure would be likely (more probable than not) to result in serious harm to any of individuals to whom the information relates.

Whether harm will be “likely” is to be determined by reference to a list of factors which include the sensitivity of the information, any security measures taken and how easily those measures could be overcome and the kinds of persons who obtained the information.

“Serious harm” is not defined.  However, the Explanatory Memorandum sets out that it will likely include serious physical, psychological, emotional, economic, financial or reputational harm.  While individuals may be distressed or upset at an unauthorised access of their personal information, this would not ordinarily of itself be sufficient to constitute ‘serious harm’.

The OAIC can also issue a directive to an organisation to provide notice.  We discuss this further below.

What must the notification include?

The notice must include:

• the identity and contact details of the entity;
• a description of the data breach;
• the kinds of information concerned; and
• recommendations about the steps that individuals should take in response to the breach.

An entity may provide the notice to the individual using the method of communication that it usually uses to communicate with the individual, or where there is no normal mode, take reasonable steps to notify. If it is not practicable to notify the individual, the entity must publish a copy of the statement on its website and take reasonable steps to publicise the contents of the statement.

The OAIC has published a draft notice for entities to use as a precedent.

Exceptions to notification obligation

The Act sets out the following exceptions to the requirement to notify:

• An entity is not required to immediately notify if it suspects (as opposed to has reasonable grounds to believe) that a data breach has occurred. However, in this circumstance, the entity is required to undertake a “reasonable and expeditious” assessment into the circumstances within 30 days.
• Where remedial action has been taken before the breach is likely to result in serious harm.
• If the information is held by more than one entity jointly and simultaneously, then only one entity is required to notify, and the other (non-notifying) entity is taken to have complied with its obligations by reason of the other entity’s notification.
• If compliance would be inconsistent with another law of the Commonwealth that regulates the use or disclosure of information.
• Where the entity is already required to disclose the breach under the mandatory data breach requirement in section 75 of the My Health Records Act 2012 (Cth).

The OAIC also has a discretion to grant an exemption.

Penalties

Failure to notify an ‘eligible data breach’ can result in the entity being subject to investigation and potential exposure to civil penalties of up $360,000 for individuals and $1.8 million for corporations.

Where to from here?

The Act will commence operation on 22 February 2018. It is no longer an option for APP entities to deal with data breaches as they see fit. The mandatory investigation and reporting obligations which arise under the Act mean that it is now essential to be proactive. Organisations need to understand their disclosure obligations and review their current cyber security practices to ensure that they are sufficiently robust. This may require seeking guidance from IT security specialists. The OAIC has also published guides to securing personal information and to handling personal information security breaches.

Interestingly, the Act does not specify the particular entity responsible for complying with the notification requirement. This may cause difficulties where information is held by more than one entity jointly, for example in joint venture or shared services arrangements. As such, entities should ensure that their arrangements and policies with contracted service providers clearly articulate each party’s responsibility in responding to and notifying a data breach. This may be particularly challenging (and so even more important) in large organisations.

Even if an entity is not required to notify of a data breach under the Act, the introduction of the legislation should serve as a timely reminder to all businesses to audit their cyber security procedures, as the benefits of securely storing digital data extend far beyond legislative compliance.

[1] Australian Cyber Security Centre 2016 Cyber Security Survey. Commonwealth of Australia 2017. Available on-line: https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf

[2] Valli, Craig. A survey of lawyers’ cyber security practices. Brief. Vol.44, No. 10, Nov 2017: 34-35

[3] Australian Cyber Security Centre 2016 Cyber Security Survey. Commonwealth of Australia 2017. Available on-line: https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf

[4] Uber boss says a data breach exposed 57m users’ data and the company didn’t tell anyone. ABC News. 22 November 2017. Available on-line: http://www.abc.net.au/news/2017-11-22/uber-data-breach-was-not-disclosed-ceo-says/9179168