14 June 2016

Red Tape | Data breach notifications

This article was written by Patrick Gunning, Ian Hargreaves, Rob Bolgar-Smith and Urszula McCormack.

Data security breaches have been on the rise for many years now, with governments and regulators responding in many ways. One element of the response is to require organisations who experience a data security breach to notify relevant regulators and, most importantly, the people whose data has been compromised. 

In a previous edition of Red Tape, we canvassed a broad range of legal issues associated with cybersecurity incidents. SEC Chair Mary-Jo White has recently described cybersecurity as the biggest risk facing the financial system. China has also recognised the importance of cybersecurity to national security, and is in the process of reforming its cybersecurity laws, as reported last year. In late May 2016, Hong Kong’s banking regulator launched a “Cybersecurity Fortification Initiative”, following a blight of recent regional and local scandals involving banks. 

In this article, we look at recent developments in the EU and Australia in relation to one of those legal issues, namely data breach notification laws.  

Mandatory data security breach reporting laws have been in place in the United States of America for many years now. Canada, Korea and, more recently, South Africa also have enacted such laws. In the EU, the requirement currently applies only to businesses in certain sectors (electronic communications providers). Breach reporting in Hong Kong is not strictly required under law, but is expected under guidelines issued by both the Privacy Commissioner for Personal Data and by financial regulators. 

European Union – 72 hour notification 

One of the most significant recent developments has been the adoption of the General Data Protection Regulation (GDPR) by the European Union. On 4 May 2016, the European Parliament and the European Council published the GDPR in the Official Journal of the European Union. This has been the final step of a legislative process spanning over five years. The GDPR will enter into force on 25 May 2018. 

The GDPR contains an obligation to notify: ƒƒ

  • the relevant data protection supervisory authority of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (Article 33); and ƒƒ
  • the data subject without undue delay “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (Article 34). 

If an organisation considers that there is not such a high risk, the supervisory authority will have the power to require the organisation to notify data subjects if it disagrees. If an organisation fails to notify, it may be liable to an administrative fine of up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(4)) (for certain other breaches of the GDPR, the fine can be up €20 million or 4% of total worldwide turnover). This is in addition to any liability that the organisation may have to affected individuals. 

Based on our experience, we anticipate that many organisations will take the view that it is not feasible to report sensibly to the regulator within 72 hours of becoming aware of a data breach. In many instances, only the basic information about the extent of the breach and the manner in which it occurred will be known within this period. 

If the breach is a result of a sophisticated hacker, the hacker will likely have been exploring the organisation’s systems for weeks or months before the organisation became aware of the breach (or part of it). So while obvious causes for the breach will have been identified and contained within the initial 72 hour period, response teams will frequently spend more time assessing whether the hacker has identified other vulnerabilities. This may lead to staggered notifications to the relevant regulator, culminating in a later notification to data subjects once the degree of risk has been more clearly assessed. 

We expect that even vigilant regulators will be wary that individuals may experience counter-productive “notification fatigue” if lower risk incidents were routinely notified. 

Australia 

In late 2015, the Australian Government released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill for public consultation. This was against the background of public statements from both of Australia’s main political parties supporting the introduction of data breach notification laws. More than 40 submissions were received (the text of the Bill and the submissions are published here). In April 2016, the government indicated that they intended to introduce a version of the Bill into Parliament. However, they did not do so before Parliament was dissolved for an election (which is underway at the time of writing). 

Unlike the EU’s expectation of a 72 hour period in which to notify, the test proposed by the exposure draft of the Australian Bill was to notify “as soon as practicable” after becoming aware that there are reasonable grounds to believe that there has been a serious data breach. Further, the concept of “as soon as practicable” was clarified so as to allow the organisation to carry out a reasonable assessment of whether there are reasonable grounds to believe that a serious data breach has occurred, provided that assessment is carried out within 30 days after becoming aware. 

The maximum penalty associated with a failure to notify in Australia is A$1.8 million, which is considerably lower than those in effect under the GDPR. 

Due to the Australian election, progress of this bill is now delayed, although both major parties are on the record in supporting legislation of this kind. Accordingly, organisations operating in Australia should be prepared for such laws to be implemented during the next term of government (Australia has a three year election cycle, so the next election will likely be in 2019). 

Will increased notification result in class action litigation? 

Large scale data breach incidents which have been notified under US law have often led to class action litigation being commenced. However, as a percentage of the total number of reported breaches, the number of class actions is quite low. Various studies have found that approximately 5% of publicly reported breaches resulted in class action litigation. 

While some prominent class actions have resulted in substantial damages awards or settlement sums, businesses have had more success defending class action claims in recent years. This can be attributed to the 2013 decision by the US Supreme Court in the Clapper case which raised the barrier by forcing the lead plaintiff to prove that there was a substantial risk that they would suffer an injury or damage as a result of the breach. 

The courts have held that mere loss of data, without evidence that it has been viewed or misused, is not an injury sufficient to confer standing. However, not all cases can be defended on this basis, because there are cases in which damage has actually transpired or where a threatened injury is “certainly impending”.

Key contacts

Patrick Gunning
Patrick Gunning
Partner
Sydney
T +61 2 9296 2170
M +61 418 297 018
urszula-mccormack
Urszula McCormack
Partner | Cross Border Finance & Technology
T +612 9296 2570/+852 3443 1168

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in
    China Crackdown on Non-Registered NGOs

    A number of offices operated by international organizations in China have been recently visited by Chinese Public Security Bureau (PSB) officers for operating in a non-compliant manner.

    11 August 2021
    Read article
    FCA brings first criminal prosecution against a bank

    The arrival of the first criminal prosecution against a bank under Money Laundering Regulations (MLRs) by the UK’s Financial Conduct Authority (FCA) has led to speculation that the FCA is ramping up

    05 May 2021
    Read article
    Keepwell and carry on: enforcement of Keepwell deeds...

    Keepwell deeds, also known as letters of comfort, are a credit protection tool commonly used by Chinese companies issuing debt offshore.

    23 February 2021
    Read article
    Brexit Update

    As of 11 pm on 31 December 2020, the transitional period for the UK’s departure from the EU will end, and EU legislation that has been ‘onshored’ will come into force

    09 November 2020
    Read article

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.