The Australian Government invited the public comment on a draft mandatory data breach reporting bill before legislation in Parliament in 2016
What does this mean? If a mandatory data breach reporting scheme is introduced, there will be nowhere to hide in the case of a serious privacy breach, with the very real prospect of a costly class action following the breach, as has been the case in North America.
The Australian Attorney-General’s Department released and sought comments on an exposure draft of a mandatory data breach reporting bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill).
The time for submissions has now closed, and the Attorney-General’s Department has published a number of the non-confidential submissions in relation to the Exposure Bill on its website.
The published submissions were made by 45 separate organizations, agencies and individuals, including:
- industry and consumer groups;
- regulators, government departments and law reform agencies; and
- major Australian and international companies.
- Many of the submissions raised similar issues, including:
Concerns about the scope or lack of definition of key terms in the Exposure Bill, such as “real risk” and “serious harm”; the possibility of “notification fatigue” arising from too many data breach reporting being received by consumers; the possibility that under the Exposure Bill potentially inconsistent multiple notifications of the same data breach may be required; for example, notification of a data breach by the organization that collected the personal information and also by the cloud service provider whose service was the subject of the actual data breach; the application of the Exposure Bill to undetected breaches that organizations ought reasonably to be aware of; and the timing of requirements to notify affected individuals of the occurrence of the data breach (including the opportunity to consult with the Australian Information Commissioner in relation to the breach). NOT SIMPLE AT ALL!
Now everything needs to be considered could create recommend changes to the Exposure Bill before it is introduced to Federal Parliament. Notwithstanding a possible early election, there is every indication that the introduction of a mandatory data breach reporting regime has the support of the major political parties. It is still likely that the law to take effect late 2017.
Accordingly, organizations should continue to be proactive in this area and should start preparing for the introduction of mandatory data breach reporting obligations as part of their overall cyber-risk management strategy.
To effectively manage cyber-risk, organizations will need to have a data breach response plan setting out what to do if a breach occurs. Many breaches arise from weaknesses in vendors’ systems, rather than from organizations’ own systems. It is therefore also important to have a vendor cyber-risk management framework in place.
Some quotes from the proposed bill
Notification to the Australian Information Commissioner (the Commissioner) and affected individuals would only be required following a ‘serious data breach’.
A serious data breach would occur if there was compromise of:
- personal information
- credit reporting information
- credit eligibility information, or
- tax file number information
That an entity holds about one or more individuals and is subject to unauthorized access or unauthorized disclosure that puts any of the individuals to whom the information relates at ‘real risk of serious harm’.
Security breach notification laws or data breach notification laws are laws that require an entity that has been subject to a data breach to notify their customers and other parties about the breach, and take other steps to remediate injuries caused by the breach. Such laws have been enacted in most U.S. states since 2002.