Key Lessons From Australia's Notifiable Data Breach Scheme
The Situation: The Notifiable Data Breach scheme, introduced by amendments to the Privacy Act 1988 (Cth), requires an assessment when an entity suspects that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information. The scheme has been in place for just over one year.
The Result: Recent publications by the Office of the Australian Information Commissioner ("OAIC") indicate that a significant number of data breaches have been notified since the introduction of the scheme.
Looking Ahead: The anniversary of the introduction of the scheme provides a useful opportunity for entities that hold personal information to: (i) consider how best to respond to data breaches given the OAIC's approach to them; (ii) review their management of that information; and (iii) ensure that their management is consistent with best practice.
REVIEW OF SCHEME
On 22 February 2018, the OAIC marked the one-year anniversary of the enactment of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which introduced Part IIIC to the Privacy Act 1988 (Cth) (Privacy Act).
Part IIIC provides that an "eligible data breach" occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The effected entity must give notice to the OAIC and affected individuals if:
- it has reasonable grounds to believe that an eligible data breach has occurred; or
- it is directed to do so by the OAIC.
Unauthorised access to personal information – when personal information held by an entity is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee, independent contractor or an unauthorised third party.
Unauthorised disclosure of personal information – when an entity, intentionally or unintentionally, makes personal information accessible or visible to others outside the entity and releases the information from its control in a way not permitted by the Privacy Act.
Loss - refers to accidental loss of personal information likely to result in unauthorised access or disclosure. If the information is lost in circumstances where subsequent access or disclosure is not possible, there is no eligible data breach.
Serious harm - requires case-by-case consideration for each data breach. Factors to consider to determine ifserious harmhas occurred are:
- the type or types of personal information involved in the data breach (for example, is it sensitive information?).
- the circumstances of the data breach.
- the nature of the harm that may result from the data breach.
Prevention Has the entity been able to prevent the likelihood of serious harm with remedial actions? If the entity takes steps to address a data breach in a timely manner, such that the data breach is not likely to result in serious harm, there is no need to notify.
DATA BREACHES NOTIFIED
The OAIC has reported that between 22 February 2018 and 31 December 2018, entities have notified 812 data breaches. A number of observations can be made about the data breaches notified to the OAIC:
- The vast majority of breaches notified have each impacted a small number of individuals. From October to December 2018, the majority of data breaches involved the personal information of 100 individuals or fewer.
- The kinds of personal information involved in breaches included contact information, financial details, identity information (such as a passport number, driver's licence number or other government identifier), health information and tax file numbers.
- The largest cause of data breaches from October to December 2018 was "malicious or criminal attack" (64 percent of notifications), which far exceeds other reported causes (human error – 33 percent; system fault – 3 percent).
- 68 percent of data breach notifications caused by "malicious or criminal attack" from October to December 2018 involved a cyber-incident, such as "phishing, malware or ransomware, brute-force attacks, compromised or stolen credentials and social engineering or impersonation."
- The OAIC has reported that: "(m)any cyber incidents this quarter (October to December 2018) appear to have exploited vulnerabilities involving a human factor, such as clicking on an attachment to a phishing email."
- The leading source of notifications among sectors from October to December 2018 was private health service providers (21 percent). The second largest source was the finance sector (15 percent), followed by legal, accounting and management services (9 percent), education (8 percent) and mining and manufacturing (5 percent).
PREPARATION FOR DATA BREACH EVENTS
Assessment of insurance coverage Given the tendency of some insurance companies to exclude liability for data breaches and other cyber threats from their general policies, cyber insurance policies have filled the gap in the insurance market. Some lower-tier policies are not particularly satisfactory and have a host of limitations which might limit ultimate recovery. Considering the ever-changing nature of cyber threats, it is necessary for entities to regularly review insurance policies to ensure that potential risks are addressed by the policies. We recommend reviewing existing policies at least every two years.
Independent assessment of cybersecurity program Best practice includes engaging outside counsel to retain a technical consultancy to review the cybersecurity program. The reason for engaging outside counsel is to protect any observations in relation to gaps or issues identified by the technical consultancy under legal professional privilege.
Develop a good incident response plan It is necessary to consider the following issues when developing an incident response plan:
- It is imperative that the plan be tailored to an entity's business and the personal information the entity collects and holds. To the extent that personal information the entity holds includes sensitive information, that data should be separately identified, and its management considered.
- The incident response plan must have an escalation protocol so that the entity's information technology professionals know when to reach out to in-house legal and management concerning an incident.
- The incident response plan must identify a multidisciplinary team responsible for the response to the data breach and an incident commander responsible for implementation. A good response plan should include information security, lines of management, communications, risk management and accountancy (to track costs for the purpose of an insurance claim). In the event of a data breach, decisions need to be made quickly and at times, without all relevant information.
- The incident response plan should include who to reach out to in the event of an attack.
External resources An entity does not want to be in a situationwhere it is scrambling to find third parties who can assist when a data breach occurs. Third parties need to be familiar with the entities' information technology systems, so that they can hit the ground running when an incident occurs. Engaging outside counsel who can direct communications will keep communications privileged, such as communications with cybersecurity experts, forensic experts, government contacts/law enforcement and cybersecurity intelligence agencies.
Cybersecurity infrastructure Investments in cybersecurity infrastructure is a good way to address the risk of data breaches.
Other recommendations The first step in data breach preparation is to have an audit of your information technology infrastructure. This will identify any weaknesses and risks in existing infrastructure. Also, it will be beneficial to have executives go through a table-top exercise to run through a worst case scenario so they have a sense of how severe the risks are. In addition, the human factor should not be ignored. Staff should be trained on cybersecurity awareness in order to mitigate the risk of bad actors exploiting human vulnerabilities.
Three Key Takeaways
- The Notifiable Data Breach Scheme requires notification of data breaches in particular circumstances—not all data breaches need to be notified.
- Data breach notification statistics show that data breaches are an ever present risk to businesses.
- Preparation for data breach events is imperative for entities that hold personal information.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.