Latest Products

Are you ready for the new mandatory breach reporting laws?

Wednesday 31 January 2018
Long Read

Failure to comply with the new Notifiable Data Breach (NDB) laws due to come into effect on 22 February could result in fines of up to $2.1 million for entities and $420,000 for individuals.

Last year, the Office of the Australian Information Commissioner (OAIC) published guidance on their website to help organisations build their systems in order to comply with the new regime.

However, the question now on everyone’s lips is whether the Commissioner will be looking to make an example of non-compliant organisations as a means of sending a message to other companies covered by the Privacy Act that are expected to comply with the notification legislation.

“We thought there would have been more examples made when the changes came in under the Privacy Act in 2014,” said Dudley Kneller, Partner at Madgwicks Lawyers. “However, that didn’t eventuate.  It’s not clear whether that’s due to better
compliance or more effective awareness raising by the Commissioner.”

On 12 March 2014, Australian Privacy Principles (APPs) replaced the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs).

In last year’s guidance, the Office of the Australian Information Commissioner (OAIC) released information on how to identify eligible data breaches, as well as how to notify individuals about eligible data breaches.

The LexisNexis whitepaper, authored by Kneller, highlights that at the time of the whitepaper’s writing, 48 US states had already enacted legislation requiring private and governmental agencies to notify individuals affected by serious security breaches.

In the whitepaper he also identified that the European Union, Canada, and New Zealand have also introduced or intend to introduce mandatory breach reporting laws into their legislation.

“That is aligning with the General Data Protection Regulation (GDPR) in the EU, which is probably more stringent,” Kneller said, in a recent conversation with GRC Professional. This is something Australian businesses with interests in jurisdictions affected by the GDPR will have to take into account when ensuring their compliance frameworks are relevant.

With the lobbying of the OAIC and the major data breaches that took place in 2017, there is an increased sense of awareness around the new mandatory breach reporting regime.

“I think there is an increased level of awareness,” Kneller said. “I think people now know there is something afoot, but they might not know the details, and lot of the questions and comments we are getting from clients are along the lines of: “is our organisation required to comply with this, and if so, what are the things we should have on our to-do list?” So, the conversation moves from initial awareness and education to putting in place practical steps to understand and meet the new compliance obligations.”

Definition of ‘serious harm’
Where organisations might find themselves in trouble is around the definition of ‘serious harm’. But what does that mean, exactly?

While the OAIC website offers guidance on what constitutes an eligible data breach:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, held by an entity
  2. This is likely to result in serious harm to one or more individuals
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action
On the topic of ‘serious harm’, it said it is not defined in the Privacy Act; however, it has provided some criteria around this area for organisations to consider in light of a breach.

The notion of ‘serious harm’ should be considered ‘holistically’ because the damage can range from:

  • Physical
  • Psychological
  • Emotional
  • Financial
  • Reputational 

“So, making an assessment about what constitutes serious harm, which is one of the triggers for the notification…well, I think that’s going to pose a challenge,” said Kneller. “There might need to be a little more information about what that constitutes.”

Kneller added that it is possible different organisations will have different views about what constitutes ‘serious harm’.

This might be exacerbated by the requirement to report the breach within 30 days of the breach itself. It is a lot to assess in a short amount of time, particularly for organisations that may not already have those response processes in place.

Part of the Larger Conversation
It is clear the notification obligation is part of the broader conversation Kneller has had with organisations, which include cyber breach preparedness and managing information security.

It is also part of the wider discussion for those organisations that have privacy regulatory obligations to meet in other jurisdictions.  

And yet, there is still a tendency to view data protection and cyber security as a technology issue—and some organisations are not seeing the larger picture.

“The organisations that now appreciate that it is not just a technology issue but a commercial and business issue are leading those discussions, because they understand that information security, mandatory breach reporting governance and privacy are not just technology issues, siloed in one area—they are broader business issues that affect the whole organisation.”

However, Kneller suggests that, even for those organisations that do see this as part of their larger business risk, there remains the sense that this is still a ‘compliance challenge’—especially since the new obligations come at a time of increased scrutiny by regulators such as the Australian Securities and Investment Commission (ASIC), the Australian Prudential Regulation Authority (APRA) and Australian Transaction and Analysis Reports and Analysis Centre (AUSTRAC).

“It has not necessarily become more important,” he said. “But it is taking a lot of time from people in legal, in risk, and in compliance generally—you know, from where they would have focused generally, such as on revenue-based activities like negotiating customer contracts that add to the bottom line, rather than managing compliance obligations. I think organisations are finding this to be bit of a challenge and a concern.”

Regulatory technology
“I think there is a real desire for technology that will help us deal with our compliance obligations more efficiently, whether that be through the use of AI or some other technology that can assist organisations to do that,” Kneller said.

Kneller said a compliance app for the complying with the GDPR has been developed in the EU through the Lexing network of which Madgwicks is a member.  “We are hopeful it can be adopted for our Australian clients doing business in that region.”  
Lexing is the first international network of lawyers that specialise in digital and emerging technology law.

Reputational risk

There should be a major focus on the potential of reputational damage being done if organisations don’t get this right.

“Where an organisation may have been able to previously sweep a data breach under the carpet, they are not now in a position to do that,” Kneller explained. “They have to come clean right from the word go.”

How to get this right?
  • Arm yourself with knowledge of the upcoming changes.
  • Understand whether you are impacted.
  • Plan steps to do compliance around that: review current policies, create a data breach response plan, and create templates for notifications for individuals and the Commissioner.
  • Take the opportunity to review your vendor arrangement to make sure suppliers are aware of the obligations to notify and that your arrangements are adequate.
OAIC Mandatory Breach Reporting Flowchart: