Today the Privacy Amendment (Privacy Alerts) Bill 2013 was tabled in the Federal Parliament.
If passed, the Bill will:
- introduce an obligation on entities bound to comply with the Australian Privacy Principles to provide a notification to the Privacy Commissioner and any affected individuals when the entity reasonably believes that a “serious data breach” has occurred; and
- commence on 12 March 2014 (the same date as the other amendments to the Privacy Act will take effect).
What is a “serious data breach”?
In essence, a serious data breach is where an APP entity holds personal information relating to one or more individuals, that information is to be secured in accordance with Australian Privacy Principle 11.1, and the information is either: (a) accessed or disclosed without authority, and the access or disclosure will result in a “real risk”1 of serious harm (including financial or economic harm and harm to reputation); or (b) lost in circumstances where (a) may occur. In addition to the “real risk of serious harm” test, the Bill establishes a framework that allows regulations to be passed which specify that loss, or unauthorised access or disclosure, of particular kinds of information will automatically be considered to be “serious data breaches”.
Consistently with the new ‘accountability’ concept, a serious data breach also occurs where an overseas entity holds personal information that has been disclosed to it by an APP entity in accordance with Australian Privacy Principle 8.1, and (a) or (b) occurs in respect of that foreign entity.
There are separate, but consistent, definitions of a “serious data breach” that apply to:
- credit reporting bodies in respect of credit reporting information;
- and credit providers in respect of credit eligibility information.
The “real risk of serious harm” test is intended to operate as a filter so that not every security breach need be notified. As a practical matter, an APP entity will need to undertake a preliminary investigation in order to assess the likelihood of serious harm arising from a given security breach. That assessment may be difficult for an APP entity because they will not always be in a position to anticipate the likely impact on an individual of their personal information coming to the attention of unauthorised persons.
Who must be notified and when?
When an APP entity reasonably believes that a serious data breach has occurred, it must prepare a notice setting out its own identity and contact details, the nature of the serious data breach and the information at risk, and advice to affected persons about how to respond to the breach (e.g. changing passwords, cancelling credit cards, etc.).
As soon as practicable after becoming aware of the serious data breach, the APP entity must give this notice to the Privacy Commissioner and:
- to any individual who is significantly affected by the serious data breach;
- or publish the notice on its website and in at least one newspaper circulating generally in each Australian state (but only if the breach is of a kind specified in the regulations as requiring general publication).
An individual is taken to be “significantly affected” by a serious data breach if, and only if, the individual is exposed to the risk of serious harm which arises from the breach.
Various studies have found that data security breaches are typically discovered months after the breaches actually occurred2, so any notice may in fact be given well after the security of the data was compromised.
Entities should, as a matter of priority after becoming aware of a security breach, seek to remediate the breach so as to mitigate the risk of further breaches of the same kind occurring. The Bill does not explicitly require this to be done, but we believe that it should be a relevant consideration when determining the timeframe in which it is “practicable” to notify the Commissioner and affected individuals.
Failure to notify the Commissioner or affected individuals when required to do so would be an “interference of the privacy of an individual”. This triggers enforcement rights under the Act, including the possibility of a determination by the Commissioner that the APP entity is required to pay compensation to affected individuals. Further, from 14 March 2014 repeated or serious interferences with the privacy of an individual can attract a civil penalty of up to $1.7m for corporations.
Perhaps more importantly, however, the experience in other jurisdictions with mandatory breach reporting requirements is that breach notices can look like an admission of liability and tend to trigger claims against the notifying party. As explained in our December 2012 “Class Actions Quarterly” publication, in the USA the time difference between the publication of the breach notice and the filing of a class action can be very short; in many cases less than a week, and in one case less than 24 hours. More recently, in March 2013 a class action was commenced against a hospital in Canada after they issued a notice in January 2013 that they had lost a USB stick containing details of 25,000 patients.
We anticipate that Australian class action litigation funders and law firms seeking to act for claimants in class actions will follow this bill closely with a view to identifying class action opportunities in Australia if an APP entity announces that it has suffered a serious data breach affecting a sufficient number of individuals. For example, in the case against the Canadian hospital the claim is for $40m, representing an average loss per individual of $1600. The grounds on which the claim would be pursued in Australia would depend on the precise circumstances, but most class actions in Australia are commenced in the Federal Court so the plaintiffs’ lawyers would likely seek to identify a federal cause of action. This could include a claim for an injunction under section 98 of the Privacy Act to restrain future breaches of the Act, or a claim for damage suffered by misleading conduct if the entity who suffered the serious data breach had represented to class members that it would hold the data securely. Other potential causes of action include claims for negligence, breach of contract, breach of confidence and even a claim based on a privacy tort (which the High Court of Australia left open as a possibility in a case decided in 2001).
The Bill is likely to spark greater interest in cyber insurance policies specifically covering losses and liabilities associated with hacking attacks, data and privacy breaches, and breach notification costs. Some policies even cover the costs of public relations repair.
King & Wood Mallesons held a seminar in Sydney on 21 May 2013 on the topic of cyber risks and insurance including a discussion of possible data breach class actions in Australia, and will hold a similar seminar in Melbourne on 18 June.
1. A “real risk” is defined as a risk that is not a remote risk.
2. For example, Trustwave found that an average of 210 days elapsed between the original intrusion and its discovery by the target.