How golden is silence? | Data breaches involving personal information

An expert assessment of all factors relevant to each breach or incident should be undertaken prior to any reporting or notification decision.

Key points

• The financial and reputational impacts of a data breach or other cyber-security incident involving personal information can be far-reaching for organisations, their directors and officers.
• Some hope to avoid these impacts by staying silent when a compromise event occurs.
• Disclosure requirements under a range of industry and sectoral regulatory provisions are reducing legal options to remain silent about compromise events.
• Under current provisions of the Privacy Act 1988, not all data breaches involving personal information need to be reported, due to various exceptions and other limitations on scope of applicability of notification requirements.
• An expert assessment of all factors relevant to each breach or incident should be undertaken prior to any reporting or notification decision, including a decision to stay silent. Penalties may be imposed where mandatory reporting obligations are not met.

Background

Cyber-security and information management issues are hitting the headlines and dominating the nightly news. People are outraged that the security of their personal information held by companies such as Optus and Medibank Private — which is ASX-listed — has been compromised. There can be no doubt that the community expects organisations to take privacy and data protection seriously, and that it will blame and punish those organisations found wanting.

Liability of directors and officers

Community expectations extend to directors and officers. For some in this group the current spate of cyber attacks is particularly significant in light of the May 2022 findings in the landmark decision of the Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v RI Advice).[i] Now, if a corporation holds an Australian Financial Services Licence (AFSL) and the licensee contravenes the Corporations Act 2001 (Cth) (Corporations Act) as a result of having inadequate cybersecurity risk management or cyber resilience, directors and officers in certain regulated industries may be at risk of personal liability, pursuant to general obligations under s 912A.

This development follows closely on the amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SCI Act) that came into effect in late 2021. The amendments significantly expanded the scope of the SCI Act’s application[ii] and, in Part 3A, introduced new mandatory reporting obligations for critical cyber-security incidents (which may of course involve personal information), with tight time lines and civil penalties imposing greater responsibilities on directors.

So, as more details of the Optus, Medibank Private and other hacks emerge, well-prepared organisations, and especially their directors and officers, will be:

• Ensuring they understand cybersecurity risks as they apply to their own organisation and sector (including what kinds and quantities of sensitive data they hold and how it is stored); and
• Re-checking their cybersecurity risk management These will include not only:
• protective measures such as engaging cyber-security experts as employees and consultants to assess the risk, but also
• review of arrangements for responding to a breach or an incident involving the data they hold, to minimise the various kinds of damage a successful cyber attack can cause.[iii]

Disclosure as a component of data breach response

If, despite its cybersecurity precautions, an organisation does experience a data breach, it will need to think carefully about disclosing it.

All Australians are encouraged to voluntarily report cyber incidents through the Australian Cyber Security Centre’s (ACSC) ReportCyber tool, which was developed as a national policing initiative. This tool provides a single online portal for individuals and business to report cyber-crime, incidents or vulnerabilities, whether or not they involve personal information. In the year 2021-22 the ACSC received over 76,000 cybercrime reports.[iv]

Nevertheless, reported breaches are likely only the tip of the iceberg, and some breaches are acknowledged only months after the event, sometimes after affected individuals have contacted the media.

Reasons for not reporting may vary: some organisations may be unaware that the data they hold has or may have been compromised. Others may not report in the belief that they are not compelled to do so and/or where their directors and officers hope to avoid the embarrassing and potentially costly consequences of a publicised breach or incident.

Clearly, before any reporting decision is made, organisations need to fully consider any mandatory obligations to notify regulators that may apply in all the circumstances of their specific cyber-breach event. A listed company like Medibank Private experiencing a major data breach is likely to find it has few options other than disclosure: under ASX Listing rule 3.1, once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities (as in Medibank’s present incident), the entity must immediately tell ASX that information.[v] Once the ASX has been told, other regulators may also require notification or otherwise investigate.

Similarly, companies that provide services to Commonwealth, state or territory governments, such as the PNORS Technology Group (PNORS) recently reported as hacked, may be subject to contractual terms that leave them little choice about reporting breaches. PNORS reportedly provides services to six Victorian agencies:[vi] and these agencies could be bound by the information security incident notification scheme introduced by the Office of the Victorian Information Commissioner (OVIC) as an element in the Victorian Protective Data Security Standards (VPDSS).  The VPDSS is a legislative instrument issued under ss 86 and 87 of the Privacy and Data Protection Act 2014 (Vic.) (PDP Act) that establishes 12 high level requirements for the Victorian public sector.

Mandatory reporting under the Privacy Act

What reporting is required by the Office of the Australian Information Commissioner (OAIC)?

Organisations and agencies regulated by the Privacy Act 1988 (Privacy Act) (APP entities) should by now be familiar with the requirements of the Notifiable Data Breaches (NDB) scheme established in 2017. For the purposes of the Privacy Act, a data breach occurs when personal information held by an organisation or agency is lost or subjected to unauthorised access or disclosure, for example when a database with personal information is hacked.

Subject to exceptions, a data breach is notifiable (to the OAIC and affected individuals) if:

• An organisation or entity within scope of the scheme under s 26WE (generally APP entities, credit reporting bodies, credit providers and tax file number recipients) has reasonable grounds to believe that an eligible data breach has happened, or:
• It is directed to do so by the Commissioner.

Not every data breach will be ‘eligible’. The key consideration here is whether a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates. Each breach has unique characteristics and in each instance of breach, expert advice should be obtained as to whether the threshold of ‘likely to result in serious harm’ has been reached. If the threshold has not been reached, the breach may not need to be notified to the OAIC and affected individuals. Entities must take all reasonable steps to complete their assessments within 30 days.

Even eligible data breaches may not need to be reported if the exception for remedial action in s 26WF of the Privacy Act applies. In general terms, this exception means that if the serious harm to affected individuals is averted before it occurs, by the actions of the organisation or entity, then the breach will be taken not to be (and never to have been) an eligible data breach requiring notification.

Again, however, an expert assessment of all factors relevant to each breach should be undertaken before this exemption is relied upon. Have all potential forms of harm been identified? Are they serious? What action could avert the harm, and is it practicable? Clearly, where the current personal information of large numbers of individuals is known to already be in the hands of criminals, it will be very difficult to avert likely harm. But even then, some organisations might consider actions such as payment of a cyber-ransom as a remedy, albeit an extreme one.

If a ransom payment actually removed the relevant threat to affected individuals, arguably the exception could apply. However, reaching a decision as to whether or not to pay a ransom is a complex process that necessarily takes into account elements such as the identity of the attacker (state actor? criminal?), the real prospects of recovering lost data or having it removed from the cyber marketplace, any insurance coverage,[vii] and whether or not payment of a ransom could be illegal in the circumstances, for example under proceeds of crime or terror financing laws.[viii]

Penalty provisions

Potential penalties should also be considered when deciding whether to report. Where failure to make a notification of an eligible data breach amounts to a serious or repeated interference with privacy, the Privacy Commissioner has the power to seek civil penalty orders.[ix] Recent proposed amendments to the Privacy Act will both enhance the Commissioner’s information sharing powers and increase penalties for serious or repeated privacy breaches, amounting to not more than the greater of:
–              $50 million dollars;
–              3 times the value of the benefit obtained through the misuse of the data; or
–              30% of the adjusted domestic turnover in the relevant period if the value of the benefit cannot be determined by the Court.[x]

Conclusion

If, despite robust cyber governance and vigilance, organisations experience a cyber breach, their response plan needs to provide for expert consideration of all relevant factors before any reporting or notification decision is taken.  Though cyber breaches, once exposed, can be very costly, silence may not prove golden either.

For further information please contact Deidre Missingham.

This article is not intended and should not be treated as legal advice.

[i] Nine cybersecurity incidents that occurred between 2014 and 2020 were at issue. They included hacking, ransomware, phishing emails and unauthorised access to a server, resulting in exposure of the personal information of thousands of clients, some of whose information was subsequently used without authorisation.

[ii] Under s 8D each of the following sectors of the Australian economy is a critical infrastructure sector:

(a) communications;

(b) data storage or processing;

(c) financial services and markets;

(d) water and sewerage;

(e) energy;

(f) health care and medical;

(g) higher education and research;

(h) food and grocery;

(i) transport;

(j) space technology;

(k) defence industry.

[iii] Less well-prepared organisations should be making an immediate start on getting their house in order. ASIC’s latest Cyber resilience good practices guidance would be an excellent resource to start with. See also the AICD CSCRC Cyber Security Governance Principles.

[iv] ACSC Annual Cyber Threat Report, July 2021 to June 2022.

[v] In Medibank’s case, on 13 October a ‘Pause in Trading’ was announced, followed by another 10 announcements relating to its ‘cyber incident’ over subsequent days to 26 October. It is revising its full year 23 outlook as a result of the cybercrime. Medibank did not hold cyber insurance and on 7 November announced to the market that it would not pay a ransom.

[vi] See ‘No school data online, says hack victim’, Age, 7 November 2022.

[vii] The Australian Government generally discourages the payment of ransom or extortion payments by insurance companies, because it ‘feeds the criminal enterprise’: see for example https://cybersecuritycrc.org.au/sites/default/files/2021-10/Underwritten%20or%20oversold%20%20-%20DV.pdf

[viii] If the Ransomware Payments Bill 2021 were revived, it may also become mandatory to report ransomware payments to the Australian Cyber Security Centre. Note that the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 was introduced to Parliament in September this year.

[ix] See Privacy Act ss 13(4A), 13G and 80W.

[x] Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.