Government Foreshadows New Privacy Obligations

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=bacbff62-61a0-45cd-a729-4e29e43b2d82

Any Australian business with an annual turnover in excess of $3,000,000
needs to be aware that it will likely be subject to mandatory reporting
obligations in the event of a security breach involving personal
information under its control.

The Commonwealth government recently released an exposure draft of the *Privacy
Amendment (Notification of Serious Data Breaches) Bill 2015* (Cth). The
exposure draft, which is accompanied by an Explanatory Memorandum, is open
for comment until 4 March 2016.  A final draft Bill will then prepared and
presented before Parliament.

*What is the purpose of the proposed legislation?*

The objective of the proposed legislation is to amend the *Privacy Act
1988* (Cth)
by introducing an obligation on Australian government agencies and private
sector organisations to report "serious data breaches" involving personal
information under their control.

The scheme would not extend to "small businesses" (that is, businesses with
an annual turnover of $3,000,000 or less), nor would it extend to state or
territory government agencies or local councils.

The proposed legislation is a response, in particular, to increasing
concerns over the ramifications of identity theft.  It is estimated that
the economic impact of identity crime in Australia is in excess of $1.5
billion per annum.  A survey by the Australian Institute of Criminology in
2013 found that 9.4% of surveyed individuals reported having suffered the
loss or theft of personal information in the previous 12 months, with
victims on average losing $4,101 per incident and spending at least 8 hours
dealing with the consequences.

More broadly, a survey by the Ponemon Institute in 2015 found that the cost
to businesses associated with business losses arising from data breaches in
Australia, such as the abnormal turnover of customers, reputational loss
and diminished goodwill, rose from $0.66m in 2010 to $0.89m in 2015.

*What is a "serious data breach"?*

For the purposes of the proposed legislation, a "serious data breach" would
occur if personal information, credit reporting information, credit
eligibility information or tax file number information held by the entity
is subject to unauthorised access or disclosure, or lost in circumstances
that are likely to give rise to the same, and the access or disclosure will
or would put an individual at "real risk of serious harm".

A range of factors would be considered in determining whether a "real risk
of serious harm" exists, including the sensitivity of the information and
whether or not the information is protected by any security measures.  A
"real risk" would be one that is not remote.  "Harm" would include
physical, psychological, emotional, reputational, economic and financial
harm.

*What will entities have to do in the event of a data breach?*

The disclosure obligation would require an entity to notify the Australian
Information Commissioner and affected individuals if there are reasonable
grounds to believe that a serious data breach has occurred.

In circumstances where an entity suspects, but is not certain, that a
serious data breach has occurred, it would have 30 days to assess whether
notification is required.

It would not be a defence for an entity to fail to report a serious data
breach of which it was not aware if, in all the circumstances, it should
have detected the problem.

In addition to notifying the Commissioner, an entity would be required to
take such steps as were reasonable in the circumstances to also notify each
affected individual.  Notification of individuals would involve the use of
channels normally used by that entity to communicate with those individuals
(whether email, post or phone, for example).

The proposed legislation acknowledges that in some instances it may not be
reasonable to notify an individual – if, for example, contact details for
the individual are not held, or the cost of notifying each individual would
be excessive in all of the circumstances.  Nevertheless, if it were not
practicable to notify each affected individual, the entity would be
required to publish a notice about the data breach on its website and take
such other reasonable steps to publicise the notice (for example, through
an advertisement or social media post) as were appropriate in the
circumstances.

A failure to comply with the proposed notification obligations would fall
under the existing enforcement and civil penalties framework contained in
the Privacy Act, meaning that, for example, in the event of serious or
repeated non-compliance by the entity, the Commissioner could apply to the
Federal Court or Federal Circuit Court to impose a civil penalty.

*How will the proposed scheme interact with the data retention scheme?*

The *Telecommunications (Interception and Access) Amendment (Data
Retention) Act 2015* (*Data Retention Act*), which came into effect on 13
October 2015, requires the providers of certain services to retain a range
of communications data for a fixed period of time.  The proposed
notification obligations would apply to those service providers, with
respect to the data collected and retained by them under the Data Retention
Act.

*What led to this development?*

Mandatory data breach notification obligations have been under
consideration in Australia for some time.  This current proposal is a
response to a recommendation by the Parliamentary Joint Committee on
Intelligence and Security following its November 2014 enquiry into the bill
that led to the introduction of the data retention scheme.  The government
accepted that recommendation in March 2015.

The previous government attempted to introduce mandatory data breach
notification legislation in 2013, based on a recommendation made by the
Australian Law Reform Commission in its 2008 report "*For your Information:
Australian Privacy Law and Practice*".  The Bill was referred by the Senate
to the Legal and Constitutional Affairs legislation Committee in June of
that year for further enquiry, but then lapsed with the subsequent change
of government.

The proposed legislation is consistent with international trends in the
area of data protection, with legislation already in existence, or in the
process of introduction, in the European Union, New Zealand, Canada and 47
of the US states.

In view of the economic rationale underpinning the proposed legislation,
the extent of similar international schemes and the previous bipartisan
support accorded to earlier attempts to introduce similar legislation into
the Australian Parliament, it can be comfortably assumed that, in one form
or another, mandatory data breach notification legislation will be
introduced in Australia in the course of 2016.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.