Mandatory Data Breach Notification went live on 22 February 2018: Partner, head of digital law Asia Pacific at EY, Alec Christie, tells us what we need to know.
Whether you collect personal information directly or only receive it from/process it on behalf of your clients, if you hold personal information at any time and a data breach occurs you and everyone in the chain (eg brands, marketers, agencies, ad tech and/or data providers), may be caught by the new Notifiable Data Breaches regime (NDB).
Or, at the very least, you may have notification obligations imposed on you by your clients to ensure that they can comply with their NDB obligations.
When does the mandatory notification obligation arise?
From 22 February 2018, unless a specific limited exemption applies, all “eligible data breaches” must be notified to the Privacy Commission and all affected individuals by all entities covered by the Privacy Act as soon as practicable after:
(i) you become aware the eligible data breach;
(ii) you become aware of reasonable grounds to believe an eligible data breach has occurred: or
(iii) you are directed to do so by the Commissioner.
An ‘eligible data breach’ occurs if:
(i) there is an unauthorised access to, unauthorised disclosure or loss of personal information held by you; and
(ii) a reasonable person would believe that such access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
“Serious harm” and “harm” are not defined. However, it is hard to envisage a situation where physical, psychological, emotional or even economic/financial harm caused by a data breach would ever not be “serious harm”. For any data breach involving sensitive or health information, we suggest starting from premise that it is an eligible data breach until shown otherwise.
Remedial action exemption
There is an exemption from notification of a potential eligible data breach where “remedial action” has been (or is being) taken such that a reasonable person would no longer consider that there is a likelihood of serious harm occurring to any of the affected individuals. In other words, where steps have been (or are being) taken, before any harm arises, to avoid any serious harm arising there is an exemption from mandatory notification.
There is no guidance or clarity around how long one has to attempt (and fail) to implement remedial action to prevent serious harm from arising before one needs to notify the eligible data breach. One thing that is certain is that one’s time to undertake remedial action (and not mandatorily notify) will immediately cease once any of the affected individuals actually suffers any serious harm.
Consequences of failure to notify
Failure to notify may result in fines of up to $2.1 million and ‘compensation’ per individual affected (if there has been a privacy compliance failure) averaging between $10,000 and $15,000 per successful complainant. If there is a successful class complaint of, say, 1,000 individuals, this could easily see fines and damages in excess of $12m.
On a practical note – How to promote compliance
In order to both get the most out of the remedial action exemption (i.e. and avoid the obligation to notify what would otherwise be an eligible data breach) and be in a position to comply with NDB, you will need to quickly:
(i) know when a data breach has occurred;
(ii) assess whether the data breach is an ‘eligible data breach’; and
(iii) take appropriate “remedial action” in order to prevent the risk of any serious harm arising (before the data breach actually results in any serious harm to any of the relevant individuals).
The best way to address these matters and thus reduce the number of mandatory notifications you need to make is to implement a privacy management program, including an appropriate data breach response plan, so that you are aware of all data breaches/cyber incidents and have an agreed mechanism to determine their severity/impact and deal with them quickly and effectively.
To ensure preparedness for and promote compliance with the NDB you should be asking:
What specific measures/mechanisms are in place to detect data breaches across all parts of the business and all forms in which the data is held (eg paper and electronic/digital)?
What specific data breach reporting and escalation framework is in place and who, ultimately, will asses whether each data breach is an eligible data breach requiring notification?
Do you have a data breach response plan and incident response team? When was the last time the plan (ie a data breach simulation) was practised with the team?
What training has been undertaken for what personnel on data breaches (ie detection, reporting, assessment and the plan)?
If you do have any of the above, what independent assurance has been done of the quality and implementation of such? If not, how do you know what has been implemented and if such is compliant?