Australia Implements Mandatory Data Breach Reporting

Uploaded on 2017-06-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The Australian Parliament has enacted the Privacy Amendment Data Breaches Act 2017 which will take effect on 22 February 2018. It requires that all 'eligible' data breaches are notified to both affected individuals and to the Office of the Australian Information Commissioner (the OAIC).

The new regime will apply to all organisations that are caught by the principles set out in the Australian Privacy Act 1988. In practice, that is a long list and will include all Australian public sector agencies, any private sector and not-for-profit organisations with annual turnover of greater than A$3m, as well as some small businesses (collectively referred to in the Privacy Act as 'APP entities'). APP entities will be required to notify a data breach if:

  • There has been unauthorised access to, or disclosure of, information, or information has been lost in circumstances where unauthorised access or disclosure is likely to occur
  • Objectively, that access or disclosure is likely to result in 'serious harm' to any individuals to whom the information relates. In assessing whether 'serious harm' is likely to result, APP entities are required by the Amendment Act to:
  • Consider the kinds and sensitivity of the information
  • The kinds of people who are likely to have obtained access to it (and presumably, what their motives and likely uses of that information are)
  • Whether it was protected by any security measures (such as encryption)
  • The nature of the harm that could result.

Those factors allow APP entities a certain amount of discretion in determining how 'serious' a breach is. While it's frequently argued that immediate and voluntary disclosure following a breach is a very good thing, a significant number of breaches still go unreported in the hope of avoiding reputational, regulatory and legal damage. 

The same self-preservation interest is likely to remain a factor when an APP entity considers how 'serious' the harm from a breach could be, and therefore whether the mandatory notification requirements apply to them. At the same time, the new law needs to draw a line somewhere. As pointed out at a recent IAPP breakfast seminar hosted by Buddle Findlay, leaving a computer unlocked and unattended could be argued to be a data breach so any notification regime needs to create a sensible and workable yardstick that organisations can work with.

In Australia, the OAIC has promised guidance to assist APP entities in determining the seriousness of a breach.In New Zealand, guidance published by the Office of the Privacy Commissioner (OPC) strongly encourages notification to affected individuals and the OPC where there is a risk of harm (note the absence of the qualifier 'serious'). 
In a voluntary notification regime, organisations will exercise a lot more discretion, and so seriousness or materiality will be read into any decision on whether to notify or how to proceed.

The introduction of a mandatory breach reporting regime, and broader privacy law reform, has been on the cards in New Zealand for a long time and while there seems to be political will from both sides of the aisle, the process of introducing those reforms has not moved quickly. When it comes to breach notification, the best indicator we have is from a May 2014 Cabinet Paper which outlined a two-tier regime involving:

  •  Notification to the OPC of 'material' breaches
  •  Notification to both the OPC and affected individuals for more serious breaches, being those where there is a real risk of harm.

While any final statutory language would need to go through the various Law Commission, Parliament and Select Committee filters, it is interesting to note that, based on the wording of that Cabinet Paper, the prospect of any harm is enough to constitute a breach as 'serious' and therefore warrants notification to affected individuals. 
Whereas in Australia, there seems to be a qualitative threshold applied to the nature of the harm itself, i.e. a breach is only notifiable if it is likely to lead to serious harm.

To some extent, that might be playing with words, but there would presumably be advantages in aiming for consistency across the language and requirements of the two regimes. 

Companies operating in both the New Zealand and Australian markets could implement uniform policies and practices and there would be a greater body of applicable regulatory guidance.

Lexology

You Might Also Read: 

Is Breach Notification Part Of Your Response Plan?:

UK Parliamentary Committee Wish To Penalise CEOs for Cyber Breaches (£)

 

« UK SMEs Don’t Have Cybersecurity Recovery Plans
Healthcare Sector Accounts For 43% Of UK Data Breaches »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IASME Consortium

IASME Consortium

IASME is one of five companies appointed as Accreditation Bodies for assessing and certifying against the UK Government's Cyber Essentials Scheme.

National Cyber Security Directorate (DNSC) - Romania

National Cyber Security Directorate (DNSC) - Romania

DNSC (formerly CERT-RO) is the Romanian national cyber security and incident response team.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Tenfold Software

Tenfold Software

Tenfold is the unique, centralized platform for managing user and permissions efficiently and automatically.

Dreamlab Technologies

Dreamlab Technologies

Dreamlab specialises in securing critical IT infrastructures. We offer qualitative support and advice for managing your infrastructure and cyber security needs.

Jumio

Jumio

Jumio’s end-to-end identity verification and authentication solutions fight fraud, maintain compliance and onboard good customers faster.

Sanderson Recruitment

Sanderson Recruitment

Sanderson is a recruitment company providing expert recruitment services in areas including Cyber & Information Security.

Basque Digital Innovation Hub (BDIH)

Basque Digital Innovation Hub (BDIH)

The aim of the BDIH initiative is to provide industrial enterprises, especially SMEs, with the technological capabilities needed to meet the challenges of industry 4.0.

Red Sky Alliance

Red Sky Alliance

Red Sky Alliance (Wapack Labs Corp) is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

Gravitee

Gravitee

Gravitee helps organizations manage and secure their entire API lifecycle with solutions for API design, management, security, productization, real-time observability, and more.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.

Neo Auth

Neo Auth

Neo Auth is an identity and access management solution to help organizations optimize their cybersecurity processes.