Understanding the Notifiable Data Breach Scheme

The Australian Parliament yesterday passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016. These new data breach notification laws apply largely to private sector enterprises with an annual turnover of at least AUD $3 Million; the same entities who must already comply with the Australian Privacy Act.

The new Australian data breach notification laws require organisations to notify of an “eligible data breach” within 30 days of them becoming aware of it. The definition of “eligible data breach” may become the sticking point as this legislation becomes effective; it varies depending on what sort of entity you are but covers two elements:

  • that data has been lost or stolen; and
  • the data represents a “likely risk of serious harm” to whom the data relates

There are some examples where a data breach doesn’t need to be notified, however, such as when there have been remedial steps taken – for example, a lost mobile device or laptop that is remotely erased. In other words, in cases where remedial steps have likely prevented the loss and serious harm from happening.

Ultimately this might mean we’ll see reported disclosures for lost data from organisations that simply didn’t bother with anti-theft features or full-disk-encryption on laptops or mobile devices. While seemingly trivial for some, these almost-default technical controls these days at least cover the low-hanging risk in this area sufficiently.

Determining actual “serious harm” may prove problematic for some organisations in determining if their breach is “eligible” or not. In the legislation “serious harm” is described as covering areas as diverse as physical, psychological, emotional, economic, and financial harm, as well as serious harm to reputation. It will be interesting to observe how the courts add to this interpretation over time.

The introduction of these laws raise the information security governance stakes even higher, and place upon enterprises an expectation they must do everything they can to protect customer and private data. In the event an organisation is compromised with an “eligible data breach” they’ll have no choice but to disclose it, or face hefty fines up to AUD $360,000 (for individuals) and up to AUD $1.8 Million (for organisations).

Directors of Australian companies need to be on notice to understand the implications of these new laws. SOS are already advising boardrooms on the benefits and opportunities that exist for implementing tangible cyber security policies & frameworks. Good governance, leadership and culture in an organisation, backed with technical diligence can overcome many of the exposures that lead to data breaches.

Meanwhile similar disclosure laws have already existed in most U.S. states since 2002, and the EU is already transitioning into their General Data Protection Regulation (GDPR) to come into full effect from May 2018. If your organisation has exposure to these jurisdictions you will need to fully consider the global privacy implications that may apply to you.

Interestingly, there are also implications with third-party risk that need to be fully considered. For example, the legislation explains that if one of your third parties is holding data on your behalf, then the data breach is assumed to be your problem as well. There’s nowhere to hide and while some organisations have made a habit of outsourcing blame, this practice is likely to become a thing of the past.

In the meantime, let’s hope your organisation doesn’t suffer a compromise that has to be disclosed under these Data Breach Notification laws. But, if you do, the SOS team are only a phone call away and eager to assist wherever possible.


Tags: ,