Insight,

Act on your suspicions: Key lessons from the OAIC’s latest Notifiable Data Breaches Report

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

Tell me in a minute:

Key lessons from the OAIC’s latest analysis of notifiable data breaches are that:

  • it is important to commence an assessment as soon as a data breach is suspected (i.e., as soon as there is any factual basis to suggest that personal information may have been compromised) to determine whether reporting obligations have been triggered;
  • a pre-prepared incident response plan, including a plan for engaging forensic experts and other advisers to assist, is essential to ensure that any assessment is undertaken in a sufficiently expeditious manner;
  • the OAIC expects to be promptly notified – often in no more than 1 or 2 days – after an entity forms a belief that there has been a reportable breach, even if it will take longer for the entity to arrange for affected individuals to be notified (i.e., there is no specific need for notices to the OAIC and to affected individuals to be ‘coordinated’ so that they can be issued at the same time); and
  • supply chain risks continue to be of concern - entities should ensure that appropriate cyber security due diligence is a feature of every relevant vendor selection process and is supported by a clear contractual framework for assigning roles and responsibilities for dealing with any data breach incident.

Notifiable Data Breaches Report: July to December 2023

Twice a year the OAIC produces a report about the operation of the notifiable data breaches (NDB) scheme under the Privacy Act.  In addition to providing a wealth of interesting statistical data about how organisations have been complying with the scheme, the report always includes interesting insights into how the OAIC interprets, and intends to enforce, the scheme.  The latest report, covering the period from July to December 2023, was released on 22 February 2024.  We have set out our key takeaways from the report below.  You can also read our observations on the previous report here.

Act on your suspicions

The OAIC has identified the security of personal information as a regulatory priority.  Compliance with the NDB scheme is an important way for entities to mitigate data security risks, and the OAIC is already taking action to enforce compliance with the scheme.  The OAIC’s latest report reiterates the OAIC’s expectation that organisations will have established processes in place to ensure an effective and timely response to data breaches.  In particular, the report is critical of organisations that the OAIC considers have been too slow to respond to a suspected breach.  There are some important lessons in the report for all organisations about the importance of being prepared.

Before we delve into the specifics, to briefly recap, the NDB scheme requires that where an entity is aware that there are reasonable grounds to suspect there may have been an eligible data breach (i.e., a breach that must be reported under the NDB scheme) the entity must take reasonable steps to carry out a ‘reasonable and expeditious’ assessment of the suspected breach (see section 26WH).  Where an entity has reasonable grounds to believe that there has been an eligible data breach then the entity must notify the OAIC and affected individuals ‘as soon as practicable’ (see section 26WL).

In practice, the application of these triggers is not always clear, particularly where in the early days of a data breach scenario details can be very murky.  However, the clear message from the OAIC is that entities are taking too long to act.  Two determinations from the OAIC in relation to Datateks (a technology vendor) and Pacific Lutheran College (an independent private school) in October 2023 reinforce this view and provide very interesting insights into the OAIC’s thinking in this regard.  Both determinations draw on High Court authority about the meaning of the terms ‘suspicion’ and ‘belief’, with the OAIC concluding:

  • suspicion does require some factual basis, but it may be formed on facts that would be insufficient to reasonably ground a ‘belief’; and
  • belief may be formed when the objective circumstances show a reason to believe something, but this does not require ‘proof’ of the circumstances (whether on the balance of probabilities or any other standard) – as per the High Court’s view, a ‘belief’ is ‘an inclination of the mind towards assenting to, rather than rejecting, a proposition and the grounds which can reasonably induce that inclination of the mind may, depending on the circumstances, leave something to surmise or conjecture.’

In short, the OAIC’s view is that there must be some factual basis for a ‘suspicion’, it need only be slight.  Additional facts may be required to form a ‘belief’, but there is no need for positive proof. 

The Datateks case is a useful illustration of how this can play out in practice.  In that case, three email accounts belonging to Datateks were accessed by a third party and used to carry out a phishing campaign.  According to the OAIC, Datateks had grounds to suspect there had been an eligible data breach as soon as it realised that the email accounts had been compromised and that these accounts had been used to store certain types of potentially sensitive personal information.  The OAIC rejected Datateks’s argument that there was no basis to form such a suspicion until after a forensic examination had been completed (the additional certainty that such an examination would provide was not necessary to establish the basis for a ‘suspicion’).  On the other hand, the OAIC accepted that Datateks had not formed a ‘belief’ that there had been an eligible data breach until both the forensic examination and a subsequent assessment of the compromised data had been completed.  As such, it was only at that point that the reporting obligation was triggered (more on that later).

Act with reasonable expedition

As flagged above, once there is a basis to suspect there has been an eligible data breach, the entity concerned must carry out a ‘reasonable and expeditious’ assessment to determine whether there has indeed been a breach that must be reported under the NDB scheme.  While there is no hard timeframe for the assessment, the Privacy Act requires that all reasonable steps be taken to complete the assessment within 30 days, and the OAIC places significant weight on this timeframe.

To go back to the Datateks example, once Datateks realised that email accounts used to store personal information had been compromised, Datateks should have carried out an assessment in a reasonable and expeditious manner.  However, within the first 30 days, Datateks only completed the following steps: engaged a vendor for initial containment (day 1), appointed a legal representative (day 20), participated in an initial triage meeting with a cyber security specialist (day 21) and engaged the cyber security specialist to undertake a forensic investigation (day 27). The forensic investigation itself wasn’t completed until some time later  (day 67) and it was longer still before any assessment of the compromised information was commenced.  In the OAIC’s view this was not sufficiently expeditious to meet the requirements of the NDB scheme.

Helpfully, the OAIC has indicated that in its view the following steps would have been reasonable to complete within the first 30 days:

  • clearly communicating to all employees, stakeholders and service providers that the assessment was required, if possible, to be completed within 30 days;
  • prioritising the matter above other routine matters;
  • assigning accountability for ensuring the completion of the assessment and/or parts of the assessment;
  • monitoring progress of the assessment and investigation;
  • seeking assistance from legal representatives or other experts at an early stage, as a matter of priority; and
  • planning effectively from the outset, such as by having an incident response plan in place.

The last point is particularly worthy of note: it is very hard to act quickly without a plan already in place.  Organisations who have not already done so would be well-advised to establish a clear and documented plan for how they will respond to any suspected data breach in a sufficiently swift manner in order to live up to the OAIC’s expectations (notably neither Datateks nor the Pacific Lutheran College had a plan in place before they experienced the fateful data breach).  This should include protocols for engaging third party forensic experts and other advisers where needed (establishing existing links with such advisers ahead of time is very helpful in that regard) and setting clear deadlines for the support required.  In the Pacific Lutheran College determination mentioned above, the OAIC was particularly critical of the time taken to obtain quotes from and engage expert forensic investigators to assist with the assessment.

A final interesting observation on this from the NDB scheme report is that the OAIC’s statistics show that the time taken to report a breach varies depending on the underlying cause – over the latest reporting period, 88% of all breaches caused by system faults were reported to the OAIC within 30 days, this dropped to 79% for breaches caused by human error, and there was a further drop to 68% for breaches caused by a malicious or criminal attack.  This suggests that organisations are more hesitant to notify a breach where there has been some deliberate attack – this may be a reflective of a desire to be more certain of the underlying substratrum of facts, including the protections that were in place, before opening these matters up to regulatory scrutiny.

Notify as soon as reasonably practicable

The next step in complying with the NDB scheme, after an assessment has concluded that there are grounds to believe an eligible data breach has occurred, is to issue breach notices to the OAIC and affected individuals ‘as soon as reasonably practicable’.  The Government has agreed-in-principle that, as part of ongoing privacy law reforms, this should be updated to set 72 hours as a cap on the time taken to report a breach (see here for further detail about the proposed reforms, together with KWM’s analysis here).  While for the moment there is some flexibility, it is clear from the OAIC’s recent actions that organisations will delay notification at their peril.

In the Datateks case, it took three months from the time that Datateks formed a belief that there was a reportable breach (based on the outcome of an expert assessment of compromised information that Datateks commissioned, which was already almost 4 months after Datateks first became aware of the breach) for Datateks to issue relevant breach notices.  Datateks spent this time undertaking further assessments to determine which individuals should be notified, identifying addresses for those individuals, engaging a communication services provider to assist in executing the notification campaign, and dealing with technical issues that impeded electronic notification.  The OAIC found that while some of these steps were necessary for notifying the individuals concerned, it was not a prerequisite for Datateks to notify the OAIC.  In these circumstances, it is clear that the OAIC expects to be notified ahead of the individuals and that there is no need to ‘coordinate’ notifications as Datateks had contended. 

Ultimately, the OAIC found that preparation of the notice to the OAIC ‘should have taken no more than a day or two’ after the initial assessment of the impacted information had been completed.  As Datateks took much longer than this, the OAIC found that it had breached the Privacy Act by not complying with the requirements of the NDB scheme.  Datateks was ordered to take steps to prepare an incident response plan to improve its ability to respond to future data breach incidents.  While Datateks did not face a fine and was not required to pay compensation, the risk of having to do so is not purely hypothetical.  In November 2023, the OAIC commenced civil penalty proceedings against Australian Clinical Labs (only the second such proceeding ever brought by the OAIC), in part for failing to comply with the NDB scheme in relation to the management of a major data breach (see KWM’s reporting on that case here).  Having an effective data breach response plan in place upfront is an essential first step to avoid suffering a similar fate.

Focus on supply chain

A final interesting aspect of the latest NDB report from the OAIC is the issue of ‘secondary’ notifications.  These are notifications issued by multiple parties affected by a single data breach.  This commonly occurs where a service provider holding data on behalf of multiple customers suffers a breach, as in those cases the service provider and each customer may technically have independent reporting obligations under the NDB scheme (though in theory one notice by the service provider could discharge those obligations on behalf of them all).

This is certainly something that KWM has seen in assisting clients managing data breach incidents over the past 6 to 12 months – often the client’s own systems have not been directly impacted, and the underlying cause of the data breach has been a cyber incident in the client’s supply chain.  It is particularly challenging for a client where they cannot obtain clear information from the relevant service provider, and lack the systems access required to undertake their own independent analysis of the scope and impact of the breach.  In these instances, it can be difficult for the client to take effective control over the matter.

Over the July to December 2023 reporting period, the OAIC received 6 ‘primary’ notifications where at least one ‘secondary’ notification was received, with 121 secondary notifications being received overall.  In other words, for every primary notification there was an average of 20 secondary notifications.  This was a very substantial increase over previous reporting periods.  This could be a matter of coincidence, with this reporting period just happening to see a series of breaches affecting service providers with broad customer bases.  However, it could also be indicative of customers becoming more eager to take control over matters by independently reporting breaches to the OAIC, even if the matter relates to a supply chain issue.

The key lesson to draw from this is that it is critical for customers to ensure they retain as much influence as possible over supply chain risks by undertaking appropriate due diligence and ensuring there are appropriate contractual controls are in place (and that those controls are deployed in practice – e.g., that audit rights are actually exercised).  In the latest NDB scheme report, the OAIC recommends the following steps:

  • ensure that third party service providers have baseline security and operational controls in place to prevent systems holding personal information from being compromised;
  • ensure that contracts with third party service providers include provisions addressing:
    • handling of personal information, including by setting defined data retention periods and establishing processes for destroying / de-identifying data once no longer required (including following the end of the service relationship); and
    • management of data breach incidents, including by assigning roles and responsibilities for complying with any reporting requirements – these responsibilities could be consolidated with one party or else divided between them (e.g., with the service provider notifying regulators like the OAIC and the customer notifying affected individuals, in order to maintain control over messaging with their stakeholders); and
  • ensure that there are requirements for communicating when suspicious activity is detected on systems that hold personal information.

We agree that these steps are indicative of good practice.  However, based on our experience, customers should also be considering other aspects of the contractual framework, including:

  • clear provisions require the service provider to cooperate and provide access to information as required for the management of a data breach incident (e.g., so that the customer can stay across any forensic investigation and obtain any other information required to inform their own independent assessment of the incident); and
  • who will bear the cost of any investigation and notification activity that may be required – e.g., if the customer wishes to undertake its own forensic investigation because it is not receiving information from the service provider in a sufficiently timely manner, is it clear whether the customer will be able to recover the cost of doing so from the service provider?  While service providers will typically be loathe to take on responsibility for costs in addition to their own centralised assessment, if the service provider is not proceeding in a sufficiently expeditious manner there may be an imperative for the customer to step in and undertake its own assessment in order to effectively manage its own regulatory responsibilities.  In such circumstances, it is not unreasonable for the customer to expect there should be some contractual means to recover its costs.

These factors should be taken into account in all contracts involving the management of personal information, irrespective of the underlying value of the contract (lower value contracts may still give rise to material privacy risks), and should also considered when renewing any existing contracts so that customers do not blindly roll-over on terms that fail to deal adequately with data breach risks.

Another under-estimated concern is making sure that a current version of the contract is readily available so that the customer can quickly assess and leverage its contractual rights when required - while this may seem simple, we have seen in practice that challenges in determining the current contractual position can be an impediment during the initial states of a breach investigation. 

As a parting comment, it is worth noting that the government has agreed-in-principle to explore the introduction of a distinction between data controllers and processors in the Privacy Act, which has the potential to clarify roles and responsibilities in these scenarios, though is unlikely to resolve the practical issues where customers are entirely dependent upon their service provider to investigate the underlying causes and extent of a data breach.  Supply chain risks will continue to be an area of concern, no matter how the underlying legal framework develops.

LATEST THINKING
Insight
The deadline for Commonwealth entities to train their people in Artificial intelligence (AI), including generative AI, is fast approaching.

21 January 2025

Insight
Australia’s competitive banking landscape, prudential settings and the accelerating challenge (and cost) of technology uplift are tipped to drive further consolidation in the sector in the coming decade.

16 January 2025

Insight
The Australian Securities and Investments Commission (ASIC) has reissued Regulatory Guide 133 Funds management and Custodial Services: Holding assets (RG 133).

15 January 2025