3 May, 2018
During 2017, cyberattacks continued to evolve and develop sophistication, exploiting both previously unidentified vulnerabilities and known vulnerabilities in new ways. Ransomware attacks such as Petya and WannaCry put critical functions across the world and across industries on hold, while the Mirai botnet attack, unleashed in late 2016, highlighted the increasing vulnerabilities of networked Internet of Things (or IoT) devices.
In this context, global regulators and legislators continue to implement new measures aimed at tightening cybersecurity and data privacy requirements for corporates. In 2017 alone, new and stringent regulations came into force in China, Australia, and New York State, with 2018 already seeing Singapore’s new cybersecurity law enacted and Europe’s GDPR set to enter into force within a few months.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (the “Amendment Act”), which amends the Privacy Act 1988, took effect on 22 February 2018. The Privacy Act 1988, which contains thirteen Australian Privacy Principles (“APPs”), regulates how personal information is to be handled. Subject to limited exemptions, the APPs will apply to a wide cross section of entities, including sole traders, corporates, partnerships, trusts and unincorporated associations (“APP entities”). The exemptions comprise small businesses (generally, entities having an annual turnover of AUD3,000,000 or less), registered political parties and State/Territory authorities.
The Amendment Act introduces the Notifiable Data Breaches scheme, which obliges all APP entities to make notifications of “eligible data breaches”, namely breaches involving personal information that are likely to result in serious harm to any individual affected. An APP regulated entity that becomes aware of a potential eligible data breach must:
(i) conduct reasonable and expeditious assessment within 30 days to determine if an eligible data breach has occurred and therefore requires notification; and
(ii) upon confirming the occurrence of an eligible breach, the APP entity must promptly notify the individuals whose information is involved in the breach, including details of the breach and recommendations about the steps such individual should take in response to the breach. It must also lodge a statement in the prescribed form to the Australian Information Commissioner as soon as practicable.
Determining whether or not an eligible breach has occurred will likely depend upon whether or not the data breach is likely (more probable than not) to result in serious harm to an individual whose personal information was part of the data breach. Although not defined by the Privacy Act 1988, the Office of the Australian Information Commissioner has stated that serious harm may include serious physical, physiological, emotional, financial or reputational harm.
In the aftermath of a data breach APP entities will therefore need to carefully assess the likelihood of serious harm to individuals on a holistic basis taking into account the nature of the data breach and the potential consequences of this data becoming public.
Paul Moloney, Partner, Eversheds Sutherland
paulmoloney@eversheds-sutherland.com
