This article was written by Patrick Gunning, Ian Hargreaves,
Rob Bolgar-Smith and Urszula McCormack.
Data security breaches have been on the rise for many
years now, with governments and regulators responding
in many ways. One element of the response is to require
organisations who experience a data security breach to
notify relevant regulators and, most importantly, the people
whose data has been compromised.
In a previous edition of Red Tape, we canvassed a broad
range of legal issues associated with cybersecurity
incidents. SEC Chair Mary-Jo White has recently
described cybersecurity as the biggest risk facing
the financial system. China has also recognised the
importance of cybersecurity to national security, and is
in the process of reforming its cybersecurity laws, as
reported last year. In late May 2016, Hong Kong’s banking
regulator launched a “Cybersecurity Fortification Initiative”,
following a blight of recent regional and local scandals
involving banks.
In this article, we look at recent developments in the
EU and Australia in relation to one of those legal issues,
namely data breach notification laws.
Mandatory data security breach reporting laws have
been in place in the United States of America for many
years now. Canada, Korea and, more recently, South
Africa also have enacted such laws. In the EU, the
requirement currently applies only to businesses in certain
sectors (electronic communications providers). Breach
reporting in Hong Kong is not strictly required under
law, but is expected under guidelines issued by both the
Privacy Commissioner for Personal Data and by financial
regulators.
European Union – 72 hour notification
One of the most significant recent developments has been
the adoption of the General Data Protection Regulation
(GDPR) by the European Union. On 4 May 2016, the
European Parliament and the European Council published
the GDPR in the Official Journal of the European Union.
This has been the final step of a legislative process
spanning over five years. The GDPR will enter into force on
25 May 2018.
The GDPR contains an obligation to notify:
- the relevant data protection supervisory authority of a
personal data breach “without undue delay and, where
feasible, not later than 72 hours after having become
aware of it” (Article 33); and
- the data subject without undue delay “when the personal
data breach is likely to result in a high risk to the rights
and freedoms of natural persons” (Article 34).
If an
organisation considers that there is not such a high risk,
the supervisory authority will have the power to require
the organisation to notify data subjects if it disagrees.
If an organisation fails to notify, it may be liable to an
administrative fine of up to €10 million or 2% of the total
worldwide annual turnover of the preceding financial year,
whichever is higher (Article 83(4)) (for certain other breaches
of the GDPR, the fine can be up €20 million or 4% of total
worldwide turnover). This is in addition to any liability that the
organisation may have to affected individuals.
Based on our experience, we anticipate that many
organisations will take the view that it is not feasible to
report sensibly to the regulator within 72 hours of becoming
aware of a data breach. In many instances, only the basic
information about the extent of the breach and the manner in
which it occurred will be known within this period.
If the breach is a result of a sophisticated hacker, the hacker will
likely have been exploring the organisation’s systems for weeks
or months before the organisation became aware of the breach
(or part of it). So while obvious causes for the breach will have
been identified and contained within the initial 72 hour period,
response teams will frequently spend more time assessing
whether the hacker has identified other vulnerabilities. This
may lead to staggered notifications to the relevant regulator,
culminating in a later notification to data subjects once the
degree of risk has been more clearly assessed.
We expect that even vigilant regulators will be wary that
individuals may experience counter-productive “notification
fatigue” if lower risk incidents were routinely notified.
Australia
In late 2015, the Australian Government released a draft
of the Privacy Amendment (Notification of Serious Data
Breaches) Bill for public consultation. This was against the
background of public statements from both of Australia’s
main political parties supporting the introduction of data
breach notification laws. More than 40 submissions were
received (the text of the Bill and the submissions are
published here). In April 2016, the government indicated
that they intended to introduce a version of the Bill into
Parliament. However, they did not do so before Parliament
was dissolved for an election (which is underway at the time
of writing).
Unlike the EU’s expectation of a 72 hour period in which
to notify, the test proposed by the exposure draft of the
Australian Bill was to notify “as soon as practicable” after
becoming aware that there are reasonable grounds to
believe that there has been a serious data breach. Further,
the concept of “as soon as practicable” was clarified so as to
allow the organisation to carry out a reasonable assessment
of whether there are reasonable grounds to believe that a
serious data breach has occurred, provided that assessment
is carried out within 30 days after becoming aware.
The maximum penalty associated with a failure to notify in
Australia is A$1.8 million, which is considerably lower than
those in effect under the GDPR.
Due to the Australian election, progress of this bill is now
delayed, although both major parties are on the record in
supporting legislation of this kind. Accordingly, organisations
operating in Australia should be prepared for such laws to be
implemented during the next term of government (Australia
has a three year election cycle, so the next election will likely
be in 2019).
Will increased notification result in class
action litigation?
Large scale data breach incidents which have been notified
under US law have often led to class action litigation being
commenced. However, as a percentage of the total number
of reported breaches, the number of class actions is quite
low. Various studies have found that approximately 5% of
publicly reported breaches resulted in class action litigation.
While some prominent class actions have resulted in
substantial damages awards or settlement sums, businesses
have had more success defending class action claims in
recent years. This can be attributed to the 2013 decision by
the US Supreme Court in the Clapper case which raised the
barrier by forcing the lead plaintiff to prove that there was a
substantial risk that they would suffer an injury or damage as
a result of the breach.
The courts have held that mere loss of data, without
evidence that it has been viewed or misused, is not an
injury sufficient to confer standing. However, not all cases
can be defended on this basis, because there are cases
in which damage has actually transpired or where a
threatened injury is “certainly impending”.