A proposed mandatory notification scheme released for discussion by the Government on 17 October, 2012 brings organisations a step closer to being required to notify customers and other third parties if the security of their personal information has been compromised.
With the considerable rise in personal information that is stored in "the cloud" and the significant increase of "data breaches" (ie personal information being improperly accessed, including by inadvertent emails, websites accidentally open to public viewing, or hacked databases) in recent times, the issue of mandatory notification has been a hot topic.
The Australian Law Reform Commission (ALRC) argued for mandatory notification requirements where a data breach would cause a "real risk of serious harm" in its 2008 review of Australian privacy law. The ALRC's recommendations included a system requiring businesses to notify the Privacy Commissioner and affected persons that specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person. The recommendations also included a civil penalty system to be enforced by the Privacy Commissioner.
Australian Privacy Commissioner Timothy Pilgrim has stated that notifications give affected customers an opportunity to reduce the impact of a security breach by acting quickly and could also improve public confidence in companies that store personal information.
The Government's discussion paper, which is seeking submissions by 23 November 2012, revisits the issues outlined in the ALRC's recommendations. It recognises that consideration of a mandatory data breach notification regime is the next stage in responding to the ALRC's 2008 report.
The discussion paper canvasses the following questions:
- Should Australia introduce mandatory data breach notification laws?
- Is a change from the current requirements, where voluntary notification is encouraged, warranted?
- What kind of breaches should prompt notification requirements?
- Who should decide whether notification is necessary?
- What should be reported and when?
- How should a notification requirement be enforced?
- Who should be subject to a mandatory data breach notification law?
The discussion paper also recognises that if Australia went down this route and introduced a mandatory data breach notification scheme, it would not be alone. In fact, a significant number of international jurisdictions have considered this question and introduced various measures to implement some form of mandatory notification scheme. The discussion paper discusses the various approaches of international jurisdictions to this issue.
In the United States (US), almost all states have data breach laws and US Congress is considering national proposals. Germany has adopted breach notification requirements under three different acts. In the European Union (EU), such requirements are applicable to telecommunications companies pursuant to the European Commission Directive on Privacy and Electronic Communications. The EU is currently considering wider proposals that would cover all sectors. Russia has also adopted a requirement that data security incidents be "cured" immediately and, in India, certain intermediaries must report a "cyber security incident". Chile has established a general consumer protection requirement. In Brazil, active consumer protection agencies are generally willing to pursue actions against global enterprises for data security breaches. Mexico has also adopted data security breach notification obligations.
The effects of mandatory notification in Australia could be far reaching, depending on the model and specific requirements adopted. It also isn't clear at this stage how a mandatory notification scheme would interact with foreign laws, such as the USA PATRIOT Act, that might apply to a service provider and require disclosure of data to foreign governments, and that at the same time prohibit the affected organisation from disclosing the fact that the information was sought or obtained.
The devastating effects of a data breach, both in terms of cost and reputation, have hit many high profile organisations in recent years. Mandatory notification laws could bring to light data breaches that otherwise may never have been disclosed, increasing the pressure on companies that collect, store, use or disclose personal information to ensure that it is adequately protected.
We await with interest for the submissions to the discussion paper and the Government's next steps in implementing privacy reform.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
