Australian Financial Services and Australian Credit Licensees are subject to data breach reporting requirements contained in the Privacy Act 1988 ("data breach law").
The law imposes a reporting obligation when an 'eligible data breach' occurs. The reporting obligations apply to certain Australian Privacy Principle entities, credit reporting bodies, credit providers and tax file number recipients, who are subject to existing privacy laws. The intention of the data breach reporting obligation is to improve the privacy protection of Australians in the event of a data breach without creating an unreasonable regulatory burden for businesses.
Here is a summary of obligations.
What is an eligible data breach?
An 'eligible data breach' occurs if there is unauthorised access, disclosure or loss of personal information, where the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
In some circumstances, the access, disclosure or loss will not be an eligible data breach where remedial action is taken. For example, a disclosure of information is not, and is taken never to have been, an eligible data breach if:
- action is taken by the entity before the disclosure results in serious harm to the individual; or
- a reasonable person would conclude that the disclosure would not be likely to result in serious harm.
The data breach law sets out a range of specific factors to be considered when determining whether serious harm would or would not be likely. These factors include: the nature and sensitivity of the information, whether the information is protected by one or more security measures, and the nature of the harm.
When is notification required?
Notification obligations are triggered when an entity has reasonable grounds to believe that there has been an eligible data breach of the entity.
What if there is only a suspicion of a breach?
Where an entity forms a reasonable suspicion that an eligible data breach has occurred, but there is not enough information (considering all the circumstances), for the entity to believe that there has been an eligible data breach, the entity must carry out a 'reasonable and expeditious assessment'. Entities must take reasonable steps to ensure that this assessment is completed within 30 days of the entity becoming aware of the grounds of suspicion.
Who must be notified?
Once the entity has formed the view that the breach is a notifiable breach, the entity must:
- Prepare a statement and notify the Australian Information Commissioner
A statement relating to the breach must be prepared as soon as practicable which describes the breach, identifies the information affected, and recommends the steps that individuals should take in response to the eligible data breach.
- Notify affected individuals
The data breach law imposes a new obligation, setting out when and how entities should disclose an eligible data breach to affected individuals. This extends to notifying individuals who have not only had their information compromised but also who are at risk of their information being compromised through an eligible data breach. Entities can notify affected individuals using their normal mode of communication, or if this is not practicable, the entity must publish a copy of the statement of their website (if any), and take reasonable steps to publicise the contents of the statement.
In each case, the entity must notify affected individuals as soon as practicable after having prepared the statement.
Consequences of non-compliance
The data breach laws form part of the existing privacy enforcement framework in Australia. In particular, the Commissioner retains its investigatory powers under the Privacy Act 1988 in relation to these new obligations. The Commissioner can, therefore, investigate possible noncompliance with the mandatory notification scheme, and apply to a court to impose a civil penalty in serious cases.
What types of data breaches are being reported?
According to the most recent report released by the Office of the Australian Information Commissioner ("OAIC"), entities in the finance sector were the second highest reporter of data breaches. Malicious or criminal attacks accounted for the majority of data breaches across all sectors. These attacks involved cyber incidents with the majority arising from compromised or stolen credentials.
Most finance sector notifications involved data breaches affecting less than 10 individuals and the majority of reports related to unauthorised access to or disclosure of contact information.
What should we be doing?
Licensees should have procedures in place to guide you through dealing with a data breach. Given the OAIC statistics in relation to cyber-incidents, licensees should also have cyber-resilience protocols embedded throughout the business. We would also recommend that licensees train staff in relation to identifying potential acts of cyber-attacks, with a focus on being aware of phishing emails.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.