Mandatory data breach notification requirements on the horizon again

On Thursday, 3 December 2015 the Attorney-General’s Department released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill), together with a discussion paper, draft explanatory memorandum and draft regulatory impact statement.  The Bill is intended to replace the Privacy Amendment (Privacy Alerts) Bill 2013, which lapsed at the end of the previous Parliament despite bipartisan support.  If enacted in its current form, the Bill will amend the Privacy Act 1988 (Privacy Act) to introduce a mandatory obligation for agencies and organisations that are subject to that Act to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals where there has been a ‘serious data breach’.  This might arise where an organisation’s IT systems are hacked in a cyber security incident, where a laptop or USB containing personal information has been stolen or lost, or where information is negligently disclosed.

There can be no doubt that circumstances that may give rise to a serious data breach are becoming more prevalent, with potentially disastrous consequences for organisations and for the people whose personal information is compromised.  According to the Australian Cyber Security Centre’s 2015 Threat Report released in August, in 2014 CERT Australia (the national computer emergency response team) responded to 11,073 cyber security incidents affecting Australian businesses, including 153 which involved systems of national interest, critical infrastructure and government, and the cyber threat to Australian organisations is ‘undeniable, unrelenting and continues to grow’.

Examples of recent high profile data breaches affecting millions of people abound, such as:

• the ‘hacktivist’ attack on extra-marital affair dating site Ashley Madison resulting in the release of personal information about its 37 million subscribers;
• the infection of Target’s point of sales terminals with malware in the United States, leading to the theft of credit card details of more than 70 million customers;
• the theft and sale to marketing companies of personal information and credit card details of 20 million people, nearly 40% of the population of South Korea, by an employee of the Korea Credit Bureau; and
• the loss of personal information relating to 25 million people in the United Kingdom by Her Majesty’s Revenue and Customs after CDs containing the entire child benefit database were sent unencrypted through the post.

In light of the serious harm that data breaches can cause to affected individuals, the OAIC has issued voluntary data breach guidelines and received 110 voluntary data breach notifications in 2014-2015.  Mandatory data breach notification obligations have been recommended for several years, including in the Australian Law Reform Commission (ALRC) Report 108, For Your Information:  Australian Privacy Law and Practice issued in 2008, and more recently by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in is advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.  The Government agreed to implement the ALRC and PJCIS’s recommendations by the end of 2015, and came close to achieving this (although as the exposure draft of the Bill was only released on the last sitting day of 2015, the Bill will not be able to be introduced into Parliament before 2016).  If enacted, the Bill will take effect 12 months after it is passed and receives Royal Assent.

Under the Bill, if enacted in its current form, the obligation to notify the OAIC and any affected individuals in relation to a data breach:

• Will only apply to agencies and organisations that are subject to the Privacy Act, including telecommunications service providers with data retention obligations under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015.  The obligation will not apply to ‘small businesses operator’ as defined under that Act, State or Territory governments, certain intelligence or law enforcement agencies, or registered political parties.  Any entity which has an annual turnover of less than $3 million is likely to be a ‘small business operator’, unless it provides a health service or holds health information other than in an employee record, which discloses or acquires personal information about a third party for a benefit, service or advantage, is a ‘contracted service provider’ to the Commonwealth, or is a ‘credit reporting body’.
• Will only apply where there is a ‘serious data breach’, which requires that:

• • there has been unauthorised access to, or unauthorised disclosure of, personal information, credit reporting information, or credit eligibility information tax file numbers of one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure; and

• • there is a real (more than remote) risk of serious physical, psychological, emotional, reputational, economic, or financial harm to the individual to whom the information relates as a result of the data breach, or, if this threshold isn’t reached, the situation falls within one of the particular situations to be specified in regulations.

Relevant matters to take into account in assessing whether there is a real risk of serious harm will be listed.  The exclusion of data breaches that do not qualify as ‘serious’ from the notification obligation is intended to reduce the administrative burden of the regime for entities, and reduce the risk that individuals will be bombarded with so many notifications that they get ‘notification fatigue’ and ignore them.

• Requires the entity to prepare a statement for the Commissioner containing prescribed information (including recommendations about what the affected individual should do in response to the breach) and take reasonable steps to notify the affected individuals of the breach and the contents of the statement, as soon as practicable after the entity is aware, or ought reasonably to have been aware, that there are reasonable grounds to believe that there has been a serious data breach, or if it is directed to do so by the Commissioner. ‘As soon as practicable’ will include time taken by the entity in carrying out a reasonable assessment of whether there are reasonable rounds to believe that the relevant circumstances amount to a serious data breach (so long as that assessment is carried out within 30 days after the entity becomes aware or ought reasonably to have become so aware of the breach).  Entities can notify affected individuals by using the channels they would normally use to contact those individuals (for example, email, post or phone).  If it is not reasonable for an entity to take steps to notify every individual (for example, if they do not have contact details for each individual, or if the costs would be excessive in the circumstances), the entity would need to publish a notice on its website and take reasonable steps to publicise that notice.  These might include advertising in print or online media, or social media posts.
• Will be subject to several exceptions, such as where there are already applicable mandatory data breach notifications (e.g. section 75 of the My Health Records Act 2012), for law enforcement purposes, where compliance would be inconsistent with another Commonwealth law regulating the use or disclosure of information (such as obligations to preserve the secrecy of protected information obtained under tax or social security legislation), or where the entity undertakes a reassessment of the circumstances within 30 days and determines that there were not reasonable grounds to believe that a serious data breach had taken place.  In addition, the Commissioner may exempt an entity from providing notification of a serious data breach where the Commissioner is satisfied that it is in the public interest to do so.

If an entity does not comply with one of the obligations included in the Bill, it will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act.  The Commissioner will be able to use its existing powers to investigate, make determinations and provide remedies, including ordering civil penalties of up to $1.8 million where there has been a serious or repeated non-compliance.

A mandatory data breach notification scheme is intended to provide confidence to Australians that, in the event of a data breach, they will be notified and able to take steps to mitigate any possible damage, such as changing passwords or cancelling compromised credit cards.  It remains to be seen whether the public will agree that the Bill achieves this outcome, and the scope of any changes that may be made to the Bill before it is introduced to Parliament as a result of the current public consultation process.  Some may consider that the Bill does not go far enough, for example by exempting small business operators (who may potentially hold significant amounts of personal and sensitive information), or by allowing 30 days to assess whether it is necessary to issue a notification about a suspected breach (by which time a significant amount of harm may already have taken place).  Others may say that the Bill imposes an undue cost on businesses and therefore goes too far.  If you would like to have your say one way or the other, submissions on the exposure draft of the Bill close on 4 March 2016.