Australia Implements Mandatory Data Breach Reporting

The Australian Parliament has enacted the Privacy Amendment Data Breaches Act 2017 which will take effect on 22 February 2018. It requires that all 'eligible' data breaches are notified to both affected individuals and to the Office of the Australian Information Commissioner (the OAIC).

The new regime will apply to all organisations that are caught by the principles set out in the Australian Privacy Act 1988. In practice, that is a long list and will include all Australian public sector agencies, any private sector and not-for-profit organisations with annual turnover of greater than A$3m, as well as some small businesses (collectively referred to in the Privacy Act as 'APP entities'). APP entities will be required to notify a data breach if:

  • There has been unauthorised access to, or disclosure of, information, or information has been lost in circumstances where unauthorised access or disclosure is likely to occur
  • Objectively, that access or disclosure is likely to result in 'serious harm' to any individuals to whom the information relates. In assessing whether 'serious harm' is likely to result, APP entities are required by the Amendment Act to:
  • Consider the kinds and sensitivity of the information
  • The kinds of people who are likely to have obtained access to it (and presumably, what their motives and likely uses of that information are)
  • Whether it was protected by any security measures (such as encryption)
  • The nature of the harm that could result.

Those factors allow APP entities a certain amount of discretion in determining how 'serious' a breach is. While it's frequently argued that immediate and voluntary disclosure following a breach is a very good thing, a significant number of breaches still go unreported in the hope of avoiding reputational, regulatory and legal damage. 

The same self-preservation interest is likely to remain a factor when an APP entity considers how 'serious' the harm from a breach could be, and therefore whether the mandatory notification requirements apply to them. At the same time, the new law needs to draw a line somewhere. As pointed out at a recent IAPP breakfast seminar hosted by Buddle Findlay, leaving a computer unlocked and unattended could be argued to be a data breach so any notification regime needs to create a sensible and workable yardstick that organisations can work with.

In Australia, the OAIC has promised guidance to assist APP entities in determining the seriousness of a breach.In New Zealand, guidance published by the Office of the Privacy Commissioner (OPC) strongly encourages notification to affected individuals and the OPC where there is a risk of harm (note the absence of the qualifier 'serious'). 
In a voluntary notification regime, organisations will exercise a lot more discretion, and so seriousness or materiality will be read into any decision on whether to notify or how to proceed.

The introduction of a mandatory breach reporting regime, and broader privacy law reform, has been on the cards in New Zealand for a long time and while there seems to be political will from both sides of the aisle, the process of introducing those reforms has not moved quickly. When it comes to breach notification, the best indicator we have is from a May 2014 Cabinet Paper which outlined a two-tier regime involving:

  •  Notification to the OPC of 'material' breaches
  •  Notification to both the OPC and affected individuals for more serious breaches, being those where there is a real risk of harm.

While any final statutory language would need to go through the various Law Commission, Parliament and Select Committee filters, it is interesting to note that, based on the wording of that Cabinet Paper, the prospect of any harm is enough to constitute a breach as 'serious' and therefore warrants notification to affected individuals. 
Whereas in Australia, there seems to be a qualitative threshold applied to the nature of the harm itself, i.e. a breach is only notifiable if it is likely to lead to serious harm.

To some extent, that might be playing with words, but there would presumably be advantages in aiming for consistency across the language and requirements of the two regimes. 

Companies operating in both the New Zealand and Australian markets could implement uniform policies and practices and there would be a greater body of applicable regulatory guidance.

Lexology

You Might Also Read: 

Is Breach Notification Part Of Your Response Plan?:

UK Parliamentary Committee Wish To Penalise CEOs for Cyber Breaches (£)

 

« UK SMEs Don’t Have Cybersecurity Recovery Plans
Healthcare Sector Accounts For 43% Of UK Data Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

BigID

BigID

BigID is redefining personal data protection and privacy. BigID software helps companies secure their customer data & satisfy privacy regulations like GDPR.

Fingerprint Cards

Fingerprint Cards

Fingerprint Cards develops and produces biometric components and technologies that verify a person’s identity through the analysis and matching of an individual’s unique fingerprint.

IoT Defense

IoT Defense

IoT Defense (IOTD) is a cybersecurity and networking company building solutions that enable the protection of networks and the ever-increasing prevalence of IoT devices.

GulfTalent

GulfTalent

GulfTalent is the leading job site for professionals in the Middle East and Gulf region covering all sectors and job categories, including cybersecurity.

Prolimax

Prolimax

Prolimax deliver innovative solutions to IT Manufacturers, Distributors, Resellers and End-users including Data Erasure and secure IT Asset Disposition (ITAD)

Newtech Recycyling

Newtech Recycyling

Newtech Recycyling specializes in the removal and disposal of IT infrastructure which has reached the end of its life cycle.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

AlertEnterprise

AlertEnterprise

AlertEnterprise uniquely eliminates silos and uncovers blended threats across IT Security, Physical Access Controls and Industrial Control Systems.

Nova Leah

Nova Leah

Nova Leah helps connected medical device manufacturers meet cybersecurity compliance requirements throughout the entire product lifecycle.

VISTA InfoSec

VISTA InfoSec

VISTA InfoSec is a global Information Security Consulting firm with offices based in US, UK, Singapore and India.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

modePUSH

modePUSH

modePUSH is a cybersecurity company focused on end-to-end breach response from Digital Forensics to Restoration across the enterprise and cloud environments.