Australian Parliament passes Mandatory Data Breach Notification legislation
Following the passage through Parliament this week of long-awaited changes to privacy laws in Australia, many Australian organisations will soon be legally required to notify their customers and the Australian Privacy and Information Commissioner of a data breach affecting personal information.
The Privacy Amendment (Notifiable Data Breaches) Bill 2017 was passed by the Senate on 13 February, following passage through the House of Representatives on 7 February. Its effect will be to establish a scheme for the mandatory reporting of data breaches by organisations regulated by the Privacy Act within 12 months of receiving Royal Assent.
Will your organisation be affected?
The new legislation applies to any organisation which is currently subject to responsibilities under the Privacy Act.
This includes businesses and not-for-profit organisations with an annual turnover of $3 million or more.
There are also a number of additional categories of regulated organisations under the Privacy Act, regardless of turnover, including but not limited to private health sector providers, credit reporting bodies, employee associations and contracted service providers under a commonwealth contract.
What does the new legislation require you to do?
Following introduction of the mandatory data breach notification scheme, the new legislation requires all regulated businesses to report any “eligible” data breach to the Office of the Australian Information Commissioner, and also to notify individuals who may have been affected as soon as practicable.
Where a regulated organisation suspects an “eligible” data breach has occurred, the organisation must conduct an assessment into the circumstances within 30 days to determine whether it has actually occurred, and whether notification is required.
Notifications to the Commissioner and to affected individuals must include:
• Identity and contact details of the affected organisation;
• A description of the data breach;
• Details of the information that has been compromised;
• Recommendations as to steps that affected individuals should take in response to the data breach (e.g. changing passwords or cancelling credit cards).
An organisation must then take “reasonable steps” to notify the contents of the statement to each of the relevant individuals affected, as well as the Commissioner. It can do this by utilising the normal means the organisation uses to communicate with them, and where this is not possible, can publish a notification to its website.
What is an “eligible” data breach?
The bill defines an “eligible” data breach as:
1. Unauthorised access to, unauthorised disclosure of personal information, or loss of personal information where unauthorised access or disclosure is likely to occur; and where
2. A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
This definition includes the malicious breach of secure information (i.e. a hack), as well as the accidental loss of soft or hard copy documents and negligent or improper disclosure of information.
Personal information includes any information about an identified or reasonably identifiable individual, including name, signature, address, telephone number, date of birth, medical records, bank account details or credit information.
The definition also requires for a “reasonable person” to conclude that “serious harm” would be likely to result to affected individuals from the breach – while this is not defined in the legislation, the Explanatory Memorandum to the bill notes it to include serious physical, psychological, emotional, economic, financial and reputational harm.
What happens if you don’t notify following an eligible data breach?
Under the new legislation, a failure to comply with the new regulation will be viewed as “interference with privacy of an individual”. The Privacy Commissioner has broad powers to issue directions requiring an organisation to notify, and other remedies such as requiring public apologies and compensation payments. In cases of serious or repeated non-compliance, the Commissioner can issue a fine of up to $360,000 for individuals and $1.8 million for organisations.
What should you do now?
The new notification scheme has been on the government’s agenda for a number of years now, and its final passage through Parliament is another reminder for businesses that they need to be aware of the risk exposure and potential consequences of a data breach, not only from compliance with this new regulation, but also the associated damage to reputation and other first and third party costs that can follow. What then should you organisation do now?
1. Review your organisation’s data security
It goes without saying, but ensuring that proper procedures and controls are in place for the protection of your customers’ and employees’ data should always be front of mind for your company. While the introduction of the notification scheme is still some months away, now is an ideal time to ensure your security practices are up to date.
2. Consider the value of Cyber Insurance
The majority of the expenses that might be incurred by a company to comply with this new legislation are insurable under a cyber insurance policy, including legal expenses for determining whether notification of a data breach affecting your company is required under the law, and the costs involved in notifying those customers.
The insurance can also cover computer forensics and other expenses incurred in conducting an assessment into the circumstances of a data breach where necessary, the provision of credit and ID theft monitoring services to affected individuals, as well as fines and penalties that might be issued by the Commissioner for failure to comply.
Most importantly, cyber insurance also provides an insured with access to a dedicated and experienced breach response coach to manage and advise on the best method for handling any cyber-related or data breach incident from initial discovery through to final resolution.
JLT offers customised and market leading cyber insurance solutions to protect our clients not only from the above-mentioned costs resulting from a data breach and the compliance with this new legislation, but also from a variety of other expenses that may result from a cyber-related incident, including:
- Public relations and crisis management costs;
- Data restoration costs;
- Business interruption loss and additional costs of working following an outage; and
- Damages and legal expenses following a third party claim for breach of privacy, breach of network security or breach of IP rights and defamation.
Contact your JLT adviser for more information.