New mandatory data breach notification laws: What do you need to know?

New Australian and European Union data breach notification laws in 2018 should encourage firms to protect against leaks and help them respond quickly and effectively if breaches do occur. Sophie Dawson, expert on privacy, surveillance, and communication law reviews.

Mid-size businesses with turnover of more than $3m per annum will be affected by new mandatory data breach notification laws commencing on 22 February 2018 more than most other businesses. Such businesses do not have the benefit of the small business exemption to the Privacy Act. They also often lack the resources that larger companies have at their disposal to protect themselves against cyber attacks and other unauthorised disclosures of personal information.

Anecdotal evidence also suggests that mid-size companies may not have been voluntarily reporting data breaches to the same extent as their larger counterparts. Instead, many have chosen to say nothing and hope that the breach, and also their decision not to disclose it, never becomes public.

In the lead up to the commencement of the new laws, businesses should assess the risks that they face, and how to mitigate them. Key considerations include security measures, data storage arrangements, insurance and data breach response planning.

The consequences of failing to do so can be serious. Penalties of up to $1.8m apply can apply under the Privacy Act. With the introduction of GDPR, failure by businesses with an establishment in the EU or which process the personal data of EU residents when offering them goods or services or which monitor the behaviour of individuals in the EU, to comply with the General Data Protection Regulation which will commence on 25 May 2018 can lead to fines of up to 4% of annual worldwide turnover or 20,000,000 Euros. The GDPR includes new data breach notification laws.

Where is your data, and how safe is it?

It is more important than ever to understand where and how your business’ information is held, used and disclosed.

At the moment, the Australian regulator, the Office of the Australian Information Commissioner, encourages data breach reporting, but does not require it. This has resulted in many organisations choosing to notify data breaches to the Office of the Australian Information Commissioner and to affected individuals.

Such an approach can be dangerous, even under existing laws. A considered approach needs to be taken in every case.

For example, whilst Australian privacy laws do not currently require notification of the Information Commissioner or of Individuals, there are other laws which sometimes require that steps be taken. For example, in the state of New South Wales, it is a crime which can attract up to 2 years’ imprisonment for a person who knows or believes that a serious indictable offence has been committed and that he or she has information which might be of material assistance in securing the apprehension, prosecution or conviction of the offender to fail without reasonable excuse to bring that information to the attention of a member of the Police Force or another appropriate authority: s 316 Crimes Act 1900 (NSW). A variety of cyber attacks including unauthorised access and crypt-locker attacks can constitute serious indictable offences: see Part 6 of the Crimes Act 1900. In addition, highly regulated entities such as banks and insurers can risk putting their regulators off-side if they do not handle data breaches in accordance with their expectations and any applicable policies.

Further, organisations which fail to notify individuals of a data breach risk possible liability under existing laws. For example, Australian Privacy Principle 11 requires entities to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Office of the Australian Information Commissioner considers preparation of a data breach response plan which includes notification of affected individuals to be a “reasonable step” for the purpose of that obligation. In addition, failure to notify individuals of a breach will potentially increase the harm the individuals suffer (eg. by way of fraud which the perpetrator commits using the information) and thus the extent of the relief likely to be awarded to them if it is later found that the breach occurred as a result of a breach of Australian Privacy Principle 11. It is also possible that the individuals will be able to sue in negligence for the failure to notify though no precedent has yet been established under Australian law.

The reputational effect of a decision to notify or not to notify, and of what to say, are also significant. The Commonwealth Bank has published a report on the effect of data breach reporting on share prices. It found that on average share prices of companies that reported a data breach underperformed against the broader stock market by 2 to 4% in the following 100 days. It also noted that many companies’ prices were unaffected, and that factors affecting the impact include the type and magnitude of the data loss, what the market infers about the company’s security capability at the time of the breach, and the company’s confidence when communicating how it will remediate customer impacts: see Reporting Data Breaches – the Impact on Share Prices. A good data breach response plan may assist in minimising the impact on share price by conveying the capability and confidence that the market seeks.

1.   The new Australian provisions

The new provisions will introduce new data breach reporting obligations which will apply to all entities regulated under the Privacy Act 1988 (Cth). The Privacy Act binds private sector organisations (most businesses with turnover above $3m per year) and Commonwealth Government agencies.

They are expected to significantly increase the extent of data breach reporting in Australia.

2.   What counts as an eligible data breach?

Under the new provisions, an eligible data breach will occur where (s 26WE):

• there is unauthorised access to or disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; or
• information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any of the individuals to whom that information relates.

Whether a reasonable person would conclude that a person was likely to suffer serious harm as a result of the breach depends upon a broad range of factors including the nature, sensitivity and protection-level of the information (s 26WG).

3.   What will affected entities be required to do?

The new legislation places various obligations on entities in response to an eligible breach. These include:

• Assessing whether there are reasonable grounds to believe an eligible data breach has occurred within 30 days of developing a suspicion of such a breach (s 26WH);
• Once an entity has reasonable grounds to believe there has been an eligible data breach, preparing a statement setting out the contact details of the entity, the nature of the breach and steps it recommends affected individuals take in response (s 26WK). A copy must also be provided to the OAIC; and
• Taking such steps as are reasonable in the circumstances to notify affected and at risk individuals of the contents of the statement as soon as is practicable. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents (s 26WL).

The OAIC may also direct an entity to notify affected individuals if it becomes aware that there are reasonable grounds to believe that the entity has suffered an eligible data breach (s 26WR).

4.   What are the consequences of non-compliance?

If an entity fails to comply with the new legislation the consequences are, in effect, the same as if the entity had failed to comply with the Australian Privacy Principles. In summary, the main consequences are the risk of a determination to pay compensation (and court proceedings by the OAIC for the payment of compensation if the entity does not comply) and also the risk of paying civil penalties of an amount up to $1.8 million in the case of corporations.

Entities that do not take appropriate steps to notify will also face the other possible consequences which exist under current laws outlined above.

5.   GDPR Data breach notification requirements

Australian businesses need to assess whether or not they will be subject to the new GDPR requirements.

If they are, then they should promptly take steps to comply with them.

The steps required in relation to data breaches are very similar to those under Australian law. Specifically, the GDPR will apply in relation to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. It will require:

• Data processors to promptly and without undue delay notify data controllers of such an incident; and
• Data controllers to notify the supervisory authority without undue delay, and if feasible, within 72 hours after becoming aware of it; and
• To notify affected individuals of data breaches which are likely to pose a high risk for the rights and freedoms of those individuals unless an exception applies.

Penalties for non-compliance are the higher of up to 10,000,000 Euros and 2% of worldwide revenue.

6.   What steps should be taken now to prepare?

In order to comply with the new law, and with existing laws, organisations should ensure that they have data breach response plans in place, and people who are ready and able to implement them at short notice.

Preparation of a plan, and responding to a breach, requires input from legal, information technology, PR and business experts. It is also important to understand your insurance position. Every company should consider the specific issues that might arise in its particular circumstances, including any regulatory considerations specific to its sector and in each jurisdiction in which it operates.

Plans should include details of which experts and business stakeholders to draw upon them including their after-hours contact details. Best practice also includes equipping those experts with sufficient knowledge of systems, the business, and likely scenarios to enable them to work quickly as a team if the worst occurs.

Every business hopes that through good security and training it will avoid being the subject of a major data breach.

The new Australian data breach notification laws provide further reason for entities which carry on business in Australia to put in place measures not only to prevent data breaches, but also to enable those businesses to respond quickly and effectively to any data breaches that do occur.