11 December 2017
Mandatory data breach notification: What is it and how should you respond?
Mandatory data breach notification (MDBN) becomes law in Australia on 22 February 2018. This is a high-impact development requiring businesses to respond as MDBN links the reputation and public standing of businesses holding personal information with the adequacy of its security measures. Expenditure on advertising and years of building customer trust through high-quality service and reputable conduct is put at risk by the obligation to inform customers when security measures fail.
1. Does MDBN apply to you?
Subject to some exceptions, the mandatory notification provisions will apply to private sector entities subject to the Privacy Act 1988 (Cth) including entities with an annual turnover of more than $3 million, businesses that provide a health service, businesses that disclose personal information for advantage as well as Federal Government Agencies and business that contract with federal government agencies.
2. What do you need to do in the event of a suspected data breach?
An organisation that suspects it may have suffered unauthorised access, disclosure or loss of personal information (data breach) capable of causing serious harm to any relevant data subjects (eligible data breach) will have a statutory obligation to undertake a reasonable and expeditious assessment of whether an eligible data breach exists and conclude the investigation within 30 days.
The new law does not define the meaning of "serious harm". Guidance suggests that physical, financial, economic harm and harm to reputation could be serious harm. Where the information involved is sensitive information, it is more likely that resulting emotional or psychological harm will be serious harm.
The new law provides that, in assessing the likelihood of serious harm, consideration should be given to the kind(s) of information that is the subject of the breach, the nature of the harm that might be caused and the person or persons who have obtained or are likely to obtain the information. Whether or not the information is protected by security measures and the likely effectiveness of any security measures is also relevant.
The new law requires the preparation of a notification statement as soon as practicable on becoming aware of an eligible data breach. When the statement is complete it must be delivered to the Privacy Commissioner and the contents notified to individuals to whom the relevant information relates or who are at risk from the breach. If individual notification is not practicable, the requirement is to post the statement delivered to the Privacy Commissioner on the organisation's website and publicise the statement.
The new law does not require notification where remedial action is successful but does not suspend the duty to notify to allow for remedial action. There is no limit to the kinds of remedial action that might be taken but this exception will likely need to be interpreted narrowly. Examples of remediation might include encryption preventing any unauthorised access to lost data or wiping the relevant device immediately prior to any possible unauthorised access. If data lost or compromised exposes accounts to unauthorised access, resetting passwords before there is unauthorised access could be remediation.
3. First to notify rule
An interesting feature of the new legislation is that it has a mechanism intended to prevent data subjects receiving multiple notices in relation to the same breach. If more than one party is holding the information that is the subject of the notifiable data breach, once a single party provides the notification, the other parties are no longer required to do so. However, this will not protect other involved parties from being associated with the breach as they would be named in the notification statement. There may often be compelling reasons to be the party preparing the notification.
A similar mechanism applies in relation to the obligation to investigate a suspected breach. If multiple parties suspect that a data breach occurred and one party proceeds to investigate, the other parties are no longer required to undertake an investigation.
4. Some practical steps that you can take to prepare for this new legislation:
- Modify your data breach response plan (if any) to take account of these new obligations. If you don't have such a plan, now is the time to put one in place.
- Your security questionnaire and relevant contractual provisions for third-party service providers should be updated to (a) take into account the need for full disclosure and cooperation from the provider should a breach occur and, (b) manage the competing interests between you and the provider should there be a disagreement on matter such as whether or not the breach results in serious harm, who needs to be notified and what information to disclose in notifications.
- Although data breach is often discussed as a cyber security issue, the latest malware attacks have been delivered by targeted phishing highlighting the need for better user awareness. Consideration should be given to training staff members on MDBN and updating security training including appointing privacy champions to each business unit to train on the importance of respecting privacy and maintaining security.
- Review and update your organisation-wide security framework. Ensuring relevant information and security incidents are reported and investigated and any necessary remediation and/or preventative steps are taken. Ensuring privacy impact assessments are undertaken and data security is given priority in new project plans.