Notifiable data breach scheme in Australia has cross-sector impact

The Privacy Amendment (Notifiable Data Breaches) Act 2017 was introduced into law in February 2017, but it only took effect on 22 February 2018. The legislation introduced a mandatory data breach notification regime into Australian law (NDB scheme). It applies to certain breaches of personal information.

The NDB scheme will affect:

• organisations that are established or carry on business in Australia with an annual turnover of over AUS$3 million ($2.34m);
• certain organisations with a turnover of less than $3 million, such as healthcare providers, entities that trade in personal information, and credit reporting bodies; and
• government agencies.

Australian entities subject to the NDB scheme may also be responsible for notifying data breaches experienced by data processors they use that are based overseas where those overseas recipients experience an eligible data breach. In those circumstances the NDB scheme treats the Australian entity as if it had held the information and suffered the data breach themselves. Australian entities will therefore not escape the NDB scheme simply because the information is held, or the data breach occurs, offshore.

Obligation to notify

Under the NDB scheme, organisations must notify affected individuals and the information commissioner of "eligible data breaches". A data breach is considered 'eligible' where all of the following conditions are satisfied: 

• there is unauthorised access to, or disclosure of, personal information held by the organisation, or information is lost in circumstances where unauthorised access or disclosure is likely to occur – i.e. there is a data breach;
• a reasonable person would conclude that the data breach is likely to result in serious harm to any of the individuals to whom the information relates; and
• the organisation has been unable to prevent the likely risk of serious harm with remedial action.

While 'serious harm' is not defined in the legislation, the explanatory memorandum to the Act states that it should be broadly construed and is a term that could be considered to include any or all of physical, emotional, economic, financial and reputational damage. Whether this is likely to occur should be decided from the perspective of a reasonable person in the position of the holder of the information, not the person about whom the information related. The explanatory memorandum further notes that 'likely' means probable, rather than possible. 

Factors to be considered in assessing whether a data breach constitutes an eligible data breach include: 

• the type and sensitivity of the information;
• whether the information is protected by security measures, and the strength of these measures;
• the person/categories of persons who have or could obtain access to the information; and
• the nature of the harm.

What do you have to do if you suspect there has been an eligible data breach?

When organisations become aware of a data breach but are unsure whether they have an obligation to notify under the NDB scheme, then they must carry out an assessment/investigation of the breach. This must be performed in an expeditious manner and, in any event, within 30 days of becoming aware of the potential eligible data breach.

If there has been, or there are reasonable grounds to believe that there has been, an eligible data breach, then organisations must notify in accordance with the NDB scheme.

When notifying, organisations must: 

• as soon as possible, prepare a notification statement on the eligible data breach, which includes identity and contact details of the company that suffered the breach, a description of the breach, the type of the information concerned and the recommended steps for individuals to take in response to the breach; and
• provide the statement to Australia's information commissioner; and any affected individuals.

Where it is not practical for organisations to notify all affected individuals, they must publish a copy of the statement on their website and take reasonable steps to publicise the content of the statement.

Failure to notify an eligible data breach is an "interference with the privacy of the individual" under Australia's Privacy Act and can give rise to civil penalties.

Exceptions

Entities will be exempted from the notification requirements where: 

• the notification is inconsistent with a secrecy provision in another law (for example legislative requirements of secrecy under the Australian Security Intelligence Organisation Act 1979;
• if they have taken effective remedial action in respect of the 'eligible data breach' before it causes serious harm – i.e. action taken that would result in a reasonable person concluding that access or disclosure would not be likely to result in any serious harm to the affected individual(s). Consider, for example, the remote wiping of electronic devices); or
• if the eligible data breach affects multiple entities, one of the other affected entities has already given notice of the eligible data breach in accordance with the notification requirements.

Penalties

Failure to comply with the NDB scheme could result in exposure to material civil penalties, which currently stand at AUS$360,000 ($281,000) for individuals and AUS$1.8m ($1.41m) for corporate entities. In addition, failure to comply will expose organisations to risks of reputational and/or other associated commercial damage, including a loss of trust.

What should businesses do? 

• Implement information security policies and measures

Adherence to information security policies and the implementation of information security measures will be fundamental in preventing breaches, as well as in ensuring that entities are prepared in the event of a breach. Prevention will be vital in limiting reputational harm to entities.

Implementing security measures will make it less probable that a data breach will be likely to cause serious harm to an individual and therefore less the likelihood that it would be subject to notification requirements.

Entities should implement security technology such as encryption and/or two-factor authentication with respect to both electronic devices and portable information storage devices like USBs and external hard drives. 

• Prepare a data breach response plan

A data breach response plan will be fundamental in enabling entities to quickly and effectively respond to and manage a data breach. A data breach response plan is a process and framework setting out the procedures to be followed in the event of a data breach.

The response plan should include, among other things:

• a description of a data breach and an eligible data breach;
• procedure for assessment of a data breach;
• strategy for containing and managing a data breach, including what remedial action could entail, determining how affected individuals and the Information Commissioner are to be notified;
• identification of the roles and responsibilities of employees, including who is responsible for implementing remedial action, who is responsible for notification, and who employees should report concerns or suspicions of a breach to – i.e. who would form part of the response team;
• what documentation should be created and kept in the event of a breach;
• what action should be taken in the event of a breach; and
• a process for continual review of the plans.

Further information

The Office of the Australian Information Commissioner (OAIC) has issued guidance to organisations on the new requirements, as well as a number of other resources on the topic.