Tell me what happened – data breach disclosure now mandatory

Australian persons – whether corporate or individual – and Australian government agencies will soon have to shoulder new responsibilities for a data breach occurring anywhere in the world. On 13 February the Government passed new laws said to constitute “some of the most stringent disclosure laws in the world”.¹

The new laws will impact directly on Australian organisations involved in the collection and usage of personal data, and indirectly on overseas businesses offering cloud services and data storage for Australian organisations. In short, if an organisation suspects that personal information under its control has been accessed in such a way as to be likely to cause serious harm to the people to whom the information relates, it must formally investigate the issue and notify the Office of the Australian Information Commissioner (“OAIC”). OAIC has the right to apply to the Federal Court for action against serious or repeated data losses, exposing corporate offenders to penalties of up to AUD1.8 million.

Australian and overseas organisations need to be alive to these new statutory duties – to investigate and to report any data breach – that are to be installed into the Privacy Act 1988 (“the Privacy Act”). Existing contracts and precedent documents should be reassessed to ensure that third party service providers having the custody or usage of personal data are subject to obligations that replicate those under the new laws.

Moulis Legal Partner Daniel Moulis reports on this important new development.

Information is power, and power corrupts

Large scale information leaks frequently command news headlines around the world. Examples abound. The media breathlessly reported the massive Ashley Madison dating site leak in July 2015, when the self-styled “Impact Team” stole user data and attempted to extort the website operator. When Ashley Madison refused to negotiate, Impact Team made more than 25 gigabytes of private information freely available to internet users anywhere. Similar in scale and impact was the hacking of Panamanian law firm Mossack Fonseca, when more than 11.5m sensitive personal and corporate files were published on the internet. Business dealings revealed by the Panama Papers brought about the resignation of Iceland’s Prime Minister, Spain’s Minister for Industry, and the Chilean head of Transparency International, and have been the launch pad for countless tax investigations and prosecutions across many countries.

Australian organisations have not been immune, either. In 2016 the Red Cross Blood Service suffered the loss of the intensely private information of over 550,000 blood donors.²

The establishment of OAIC in 2010, and increasing public concerns about the security of personal data, enlivened calls for strong breach notification laws. Notification is seen as a way of increasing the pressure on data holders to take stringent measures to protect data and to allow for individuals to take remedial steps to lessen the adverse impacts of unauthorised disclosures.

Who and what is covered by the new laws?

Businesses with an annual turnover of more than AUD3 million are subject to the new reporting requirements. Commonwealth Government agencies are covered too, although the penalties for a breach do not apply to them. Also covered are:

• reporting bodies or authorised agents under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
• protected (industrial) action ballots under the Fair Work Act 2009;
• the activities of selling or purchasing personal information;
• service providers in respect of an Australian Commonwealth contract (whether or not a party to the contract); and
• credit reporting bodies.

The mandatory data breach notification scheme creates new impetus for organisations across a number of business types, and across multiple industries – and those who service them – to understand not only the circumstances that mandate OAIC notification, but also the privacy principles under the Privacy Act that underpin the confidentiality that the Privacy Act seeks to protect.

The requirement of notification has been crafted very widely. A so-called “eligible data breach” occurs where two conditions are met:

• first, unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
• second, whether a reasonable person would conclude that the access, disclosure or loss is likely to “result in serious harm to any of the individuals to whom the information relates”.

Importantly, any circumstance where an “entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach” will also give rise to a requirement to provide a notification to OAIC. Thus, the threshold for a reportable data breach is very low – any cause for suspicion that a data breach may have occurred is enough to trigger a notification.

Mind you, it is not just any breach that will be considered to result in serious harm to an individual. The new laws indicate that the kind of information, the persons who receive it, its intelligibility and the nature of the suggested harm are all factors that need to be evaluated in deciding whether the requisite “seriousness” of the breach has been met.

Data “exporters” and overseas “importers” – a shared liability

These days, information is anywhere and everywhere. Although overseas organisations are not directly covered, such that they must report a data breach to the Australian authorities, the liability of Australian organisations travels with the information they collect. Australian privacy principles require that accountability for the security of any personal information remain with the Australian organisations concerned with its collection or control. The organisation having effective control of personal information – not third party “clouds” or secondary information service providers – continues to have the obligation to notify of any suspected or actual data breach. The fact that it was a third party server that was hacked, or that inadvertently published the data, does not exculpate the Australian organisation that was responsible for the security of the data in the first place.

Regardless of where the information is, or who “allowed” the unauthorised disclosure to occur, the originating entity in Australia must provide notification to OAIC. This adds to the Privacy Act’s insistence that Australian organisations must take reasonable steps to ensure that overseas data recipients will handle personal information in accordance with the privacy principles prescribed under Australian law.

How to disclose to OAIC

Where an organisation suspects that there could be reasonable grounds to believe that a data breach has occurred, it has 30 days to carry out an assessment of the circumstances in order to establish whether the reasonable grounds exist. Interestingly, if the organisation takes action quickly enough, so that the access or disclosure is suppressed to such an extent that serious harm is not likely to occur, it does not have to report, and cannot be directed to advise the individuals concerned.

If the organisation has established that there are reasonable grounds to believe that a data breach has occurred, or if there is no doubt as to the breach, it must notify OAIC. This notification is to be in the form of a written statement setting out:

• a description of the data breach that occurred or might have occurred;
• the kind or kinds of information concerned; and
• what should be done.

OAIC will then determine if further action is required. The organisation concerned will be required to notify other parties, and this could obviously include all of the individuals whose information was subject to the unauthorised access, disclosure or loss.

A failure to comply with the new notification scheme will be “deemed to be an interference with the privacy of an individual”. Serious or repeated privacy interferences will attract a penalty of up to AUD1.8 million for bodies corporate.

Three monkeys will not get you out of this one…

The new laws have been passed but are not yet in effect. According to the terms of the new laws, they must come into effect sometime in the next 12 months. Organisations that collect and hold the very wide categories of information that are subject to the privacy principles under the Privacy Act should:

• assess existing information security measures;
• educate information officers and institute internal checks and reporting protocols;
• verify the security measures employed by third party data service providers;
• negotiate better contractual mechanisms for notification and protections against a breach;
• if at all possible, seek indemnities, even if limited; and
• improve contractual precedents.

The new laws make clear that lax information security will not be tolerated. The defence of the unknowing monkeys is not available. The evil is easily seen, easily heard, and must be spoken about to make your organisation compliant with the new regime.

Moulis Legal’s trade regulatory team handles WTO-related matters, export and import compliance, trade sanctions, and cross-border commercial arrangements. For more information please contact Daniel Moulis on +61 2 6163 1000 (daniel.moulis@moulislegal.com).

This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.

© Moulis Legal 2017

[1]  Australian Financial Review, Hidden challenges emerge as data breach notification laws finally hit Australia (28 November 2016) http://www.afr.com/technology/web/security/hidden-challenges-emerge-as-data-breach-notification-laws-finally-hit-australia-20161125-gsxnri

[2]  Australian Broadcasting Corporation, Red Cross Blood Service admits to personal data breach affecting half a million donors (28 October 2016) http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036