What is an "eligible data breach"?
A "data breach" occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure, or other misuse or interference. A data breach is an "eligible data breach" where "a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure".
The Explanatory Memorandum to the Bill states that "likely" means "more probable than not", and that the "serious harm" can extend to "serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation".
How should an APP entity respond to an eligible data breach?
There are four key steps that an APP entity should take in response to an eligible data breach.
A notification of an eligible data breach must:
Where it is impracticable to notify individual customers of an eligible data breach, an entity must publish the above details on its website, and take reasonable steps to publicise the details.
As mentioned above, the affected individuals should be notified as soon as reasonably possible after the entity becomes aware, or ought reasonably to have become aware, of the breach. If an assessment is necessary to determine whether an eligible data breach has occurred, a maximum time frame of 30 days is allowed under the new requirements in which the entity must take all reasonable steps to complete the assessment of the possible breach. However, the Explanatory Memorandum explains that this 30-day period is not a hard deadline, as in some instances it may not be possible to complete the assessment due to complexities or the nature of the breach.
What are the consequences of failing to report eligible data breaches?
Failure to comply with the new breach notification laws constitutes an interference with the privacy of an individual under the Privacy Act. This triggers the powers of the Privacy Commissioner to investigate, make determinations and provide remedies for non-compliance with the Privacy Act. The Commissioner can instigate a range of consequences from public apologies, compensation payments and, for serious breaches or repeat offenders, civil penalties. Civil penalties are $420,000 for individuals and $2.1 million for body corporates.
What should you do if you are an APP entity?
APP entities should develop processes for detecting, containing and managing data breaches, including a detailed data breach response plan. In addition, APP entities should consider whether cyber insurance policies can assist with reducing the risk associated with a cyber incident. For APP entities that already have cyber insurance in place, we recommend that they ensure they are familiar with any conditions of their policy that dictate the steps they should take in response to a covered event. Acting otherwise than in accordance with the policy terms may entitle the insurer to reduce amounts payable under the policy to the extent the insurer's interests have been prejudiced.
The Commissioner has released an updated guidance: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).
*Natalie Cambrell is a partner in the Corporate and Financial Services Practice Group in the Melbourne office of Lander & Rogers. Varun Bhatia is a Senior Associate in the Corporate and Financial Services Practice Group. Ms Cambrell can be contacted at firstname.lastname@example.org.