11 March, 2018
Organisations processing personal information in Australia are now required to disclose certain data breaches they experience under new laws that took effect on Thursday.
The mandatory data breach reporting rules, finalised last year, do not require every data breach incident to be reported. Only where a data breach puts individuals at likely risk of serious harm will breaches be 'eligible' for disclosure.
The notifiable data breaches (NDB) scheme provides for exceptions to the notification of eligible data breaches, including on secrecy grounds. Where the thresholds for disclosure are triggered and no exception applies, however, data breaches must be notified to both individuals and the Office of the Australian Information Commissioner (OAIC).
Examples of instances where notification would be required include a malicious breach of the secure storage and handling of information, accidental loss of IT equipment or hard copy documents, or a negligent or improper disclosure of information, according to an explanatory memorandum issued alongside the new legislation by Australia's parliament last year.
Breaches must be notified "as soon as practicable" after businesses become "aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies)", according to the memorandum.
However, in a speech in Sydney on Thursday, Australian information commissioner Timothy Pilgrim explained that in certain circumstances organisations will have some time to assess whether a breach is 'likely to result in serious harm' before the duty to notify is then triggered.
"I would … expect that organisations immediately endeavour to reduce any risk of harm to individuals when a data breach is first suspected," Pilgrim said. "In various instances, this remedial action can result in a data breach no longer presenting a likely risk of serious harm – which will mean that the notification requirements of the NDB scheme do not apply."
"Individuals must be notified promptly about eligible data breaches under the scheme. You may believe a data breach is likely to result in serious harm shortly after becoming aware of it. For example, if you became aware that an attacker had stolen personal information in order to carry out financial fraud and there is no action that can be taken to successfully mitigate this risk, it may be immediately clear that notification is required. In other circumstances, it may not be clear whether there is a risk of serious harm, or whether this harm is likely to occur. In these situations, the assessment obligations of the NDB scheme will apply," he said.
Under the 'assessment obligations', organisations have up to 30 calendar days to reach a conclusion on the likely harm a breach could have on individuals. Pilgrim said, though, that businesses may be obliged to disclose details of the breach before that backstop deadline to comply with the new laws, in certain cases.
"If, at any point, it is believed that a breach is likely to result in serious harm, organisations must notify affected individuals – regardless of whether an assessment has formally concluded," Pilgrim said.
According to the explanatory memorandum, data breach notifications must contain the identity and contact details of the breached entity, a description of the serious data breach, confirmation of the type of data compromised, and recommendations about the steps that individuals should take in response to the serious data breach,.
The OAIC has issued guidance to organisations on the new requirements. That guidance recommends that businesses develop a data breach response plan.
"The faster an entity responds to a data breach, the more likely it is to effectively limit any negative consequences," the OAIC said. "A data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach."
Ewan Robertson of Pinsent Masons, the law firm behind Out-Law.com, said that a data breach response plan, together with sound information security policies and measures, "will be fundamental in enabling organisations to quickly and effectively respond to and manage a data breach".
"A data breach response plan is a process and framework setting out the procedures to be followed in the event of a data breach," Robertson said. "The response plan should include, among other things: a description of a data breach and an eligible data breach; procedure for assessment of a data breach, and; a strategy for containing and managing a data breach, including what remedial action could entail, determining how affected individuals and the information commissioner are to be notified."
"The plan should also identify the roles and responsibilities of employees, including who is responsible for implementing remedial action, who is responsible for notification, and who employees should report concerns or suspicions of a breach to – i.e. who would form part of the response team, as well as what documentation should be created and kept in the event of a breach, what action should be taken in the event of a breach, and a process for continual review of the plans," he said.
In his speech, Pilgrim said the new requirement to notify individuals of data breaches "represents a significant boost to privacy governance in Australia". He said that it will be important for organisations to ensure they can respond quickly and effectively to data breach incidents.
"When a data breach occurs, a quick and effective response can have a positive impact on people’s perceptions of an organisation’s trustworthiness," he said. "And by an ‘effective’ response, I mean one that successfully reduces or removes the risk of harm to individuals, and which aligns with community expectations… The communities’ expectations for personal information management are primarily based on the principles of transparency and accountability."
Businesses that try to hide the fact that they have experienced a data breach face "public vitriol", Pilgrim said.
The "standard of transparency" provided for will help deliver "greater public trust in data management across industries", while the rules will also encourage "a higher standard of privacy capability across industries", he said.
Most US states already have data breach notification laws in place, while in Europe the General Data Protection Regulation (GDPR) is set to introduce mandatory data breach reporting for all companies when it comes into force on 25 May 2018.
"While eliminating the risk of a breach entirely may not be possible – regulations such as the NDB scheme and the mandatory reporting requirements of the GDPR – make reducing and managing privacy risks a higher priority," Pilgrim said.
Pilgrim said the OAIC is "expecting to receive a significant increase in the number of notifications we currently receive".
In 2015–2016, Pilgrim's office received 107 voluntary data breach notifications. During the first 100 days that new mandatory data breach notification requirements applied in the Netherlands, however, the Dutch data protection authority received more than 1,000 notifications of breaches, Pilgrim said.
For further information, please contact:
Ewan Robertson, Partner, Pinsent Masons
ewan.robertson@pinsentmasons.com