In-House Counsel: Preparing for Australia’s Mandatory Data Breach Reporting Scheme

Australia’s new mandatory data breach notification laws have now been passed, meaning that it will soon be compulsory for many businesses around the nation to report data breaches to regulators and customers. We consider what this means for in-house counsel, how Australia compares to other jurisdictions and how you can prepare for the future of data breaches and notifications.

Australia’s proposed mandatory data breach reporting scheme

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Notifiable Data Breaches Act) has now been passed by the Federal Parliament. This means that Australia will have a mandatory data breach notification scheme in effect in February 2018, unless an earlier start date is announced.

The scheme will affect all government agencies and organisations governed by the Privacy Act, and therefore does not apply to state government organisations, local councils or organisations with less than $3 million turnover a year.

How does Australia compare?

In an interview with Thomson Reuters, Michael Bishop, APAC Regional Legal Counsel for US-based data protection and software company, Commvault, said that the Australian laws are less stringent and involve smaller fines when compared with the EU General Data Protection Regulation (GDPR) and other regimes in the US and around the world, which may reflect concerns over disrupting the economy.

However, there are also some commonalities:

  • A shared focus on transparency and accountability.
  • An object of giving individuals confidence that their privacy is being protected.
  • A technology neutral stance: the legislation doesn’t specify, for example, any particular encryption technology.

An entity must notify the Australian Information Commissioner (AIC) and affected individuals “as soon as practicable” after becoming aware of any reasonable grounds to believe there has been an eligible data breach (unless an exception applies). This is similar to the approach taken in Taiwan, but is a more relaxed approach compared with the GDPR and Philippines privacy laws, for example, which prescribe a 72-hour notification window for many data breaches.

The new legislation also contains an obligation to carry out an assessment into the relevant circumstances where it is suspected that an eligible data breach has occurred.

Recognising eligible data breaches

The Notifiable Data Breaches Act describes a data breach as unauthorised access to, or unauthorised disclosure of, personal information. It extends to a situation where such information is lost in circumstances likely to give rise to unauthorised access or unauthorised disclosure.

An eligible data breach occurs if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals because of the unauthorised access or disclosure.

This “likely risk” test is a refined version of the “real risk” test included in the 2015 exposure draft of the act. By replacing it with the more familiar legal concept of “likely risk”, the government has responded to stakeholder concerns that the concept of “real risk” lacked certainty and could have led to notice fatigue.

This concern is a real one – one of the biggest complaints about California’s mandatory data breach notification scheme is that its loose notification requirements has led to a situation of “the boy who cried wolf.”

Interpreting serious harm

In relation to the scope of “serious harm”, the explanatory memorandum included with the act suggests it could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.

“IT and legal should talk about what ‘serious harm’ means, review security measures in place and examine the likelihood that those measures could be overcome,” said Bishop.

Preparing for the mandatory data breach reporting scheme

“Collaboration and engagement between IT and legal departments is critical in preparing for the commencement of the scheme and managing risk generally,” says Bishop.

“Legal and IT need to be very strong business partners. In-house counsel should make efforts to understand the data and IT lifecycle; you need to know how data works within your organisation to understand your [data safety] obligations.”

There are also a number of steps in-house counsel can take to prepare for the mandatory scheme:

  • Review your organisation’s data collection practices and policies, and ensure personal information is collected and stored only if necessary.
  • Audit security risks to personal information held by your organisation and any held by third parties (such as cloud providers) on your organisation’s behalf.
  • Consider how internal data-handling and data-breach policies should be updated on commencement of the scheme to reflect the new requirements.
  • Review steps in place to avoid data breaches (for example, physical security of laptops and papers, cybersecurity strategies or ways to reduce administrative errors).
  • Review contract management and ensure that due diligence is done on contractors’ policies, particularly in the areas of IT security and personal information storage and collection.
  • Understand where in the world your company is doing business and know the regulations and laws with which you must comply.
  • If you’re part of a multinational corporation, consider how the Australian laws fit with your existing procedures – does it slot into existing procedures or will you need to develop a special process to deal with eligible data breaches in Australia?

Moving forward with a proactive approach

If one thing is clear from the experience of other jurisdictions, it’s that breaches are a reality and many more will come to light following the commencement of mandatory data breach reporting in Australia.

In-house counsel should ensure there is a solid breach notification and communication plan in place. “You can’t take the view that this will never happen,” says Bishop.

Such a plan can help avoid the associated PR disasters and possible litigation that may follow a breach. It could be the difference between retaining or losing clients and reputation. This proactive approach is also encouraged by provisions in the legislation which provide an ‘out’ if an organisation takes action following an eligible data breach before any serious harm arises.

In formulating a plan, Bishop suggests looking at the Californian laws for guidance. “They’re very prescriptive about what needs to be communicated following a breach: what happened, what information is involved, what the organisation is doing and what people affected can do.”

A strong connection between your legal team and business communications team is also critical in managing customer communications around breaches. This helps to ensure a consistent, accurate and well-timed response.

It’s also worth considering the circumstances in which a report should be made even when not required legally, in order to preserve customer relationships.

In-house counsel can also consider cyber insurance, which can offer your organisation financial cover from losing customer or employee data, the cost of restoring data after a breach and more.

A statement from the Office of the Australian Information Commissioner (OAIC) states that it will be working closely with agencies and businesses to prepare for the commencement of the scheme, including providing additional guidance and events hosted through the OAIC’s Privacy Professionals Network.

The OAIC also provides some guides which can be referred to as best practice models in the meantime, including:

Are you prepared for the aftermath of a data breach? Download your free data breach incidents toolkit now.

Subscribe to Legal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.