New mandatory data breach laws*

LAURA KEILY | Founder and Barrister  Opinion   New mandatory data breach laws*

New mandatory data breach laws*

By Laura Keily and Matthew Jarrett**

The irony will not be lost on the Australian public.  As the Australian Government’s new data breach laws came into force in February 2018, the Australian Government is still recovering from a scandal in which governmental documents were left at a second-hand store in filing cabinets.

Second-hand stores seem to be a common locale for data breaches.  In one of the leading U.S cases involving Californian data breach laws, The People of the State of California v Kaiser Foundation Health Plan, Inc.[1] the breach involved the purchase of a hard drive at a charity store.

Apart from the extremely concerning but basic matters of national security and measures that should be put in place to protect against those, data breaches are costly to Australian businesses, having resulted in losses (measured against customer turnover, reputational losses and diminished goodwill) of $0.89 million in 2015 alone.[2] Of course in the main, data breaches results from cyber-hacks.  Such breaches of data security are increasing in frequency and scope, with 38% more security incidents being detected in 2015 than 2014,[3] and nearly a quarter of surveyed firms having suffered an IT security breach in the previous 12 months. [4] This has led to cyber attacks being ranked as the second greatest risk for businesses in Sydney and Melbourne,[5] with a national study commissioned by the Office of the Australian Information Commissioner (“OAIC”) finding that 89% of respondents were worried about the security of their personal information when using the internet. [6]

Over 90% of the Australian public believe that both government and private business organisations should inform them if their personal information is lost.[7] Whilst Australia has a system of voluntary data breach guidelines in place, it is estimated that only half of all data breaches are reported,[8] which has led to calls for a mandatory data breach notification scheme, as is the norm in many other countries. For example, the European Union, New Zealand, Canada, and 47 US states have in place data breach notification laws.[9]

The Notifiable Data Breaches scheme will take effect from 22 February 2018,[10] which will require entities to take prompt action on suspected data breaches by notifying affected individuals and the OAIC of “eligible data breaches”. The introduction of mandatory data breach notification laws aims to ensure that affected parties can take remedial steps to protect their personal information when it has been compromised.[11] Individuals will be able to have faith that they are aware of any data breaches affecting their personal information, as entities that contravene the notification requirements will be liable for up to 2,000 penalty units ($420,000).[12]

 

Click here to download the full paper.

 

* This paper is not yet published. It is not to be re-published or circulated without the express permission of the authors.

** Laura Keily (BSc, LLB (Hons), MCommrclLaw, MAICD) is a Victorian Barrister.  Matthew Jarrett is a law student at Monash University.

 

[1] The People of the State of California v Kaiser Foundation Health Plan Inc (Cal, No RG14711370, January 24 2014).

[2] Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis (May 2015) available at <www.ibm.com>.

[3] Turnaround and Transformation in Cybersecurity: Key Findings from the Global State of Information Security Survey 2016, PwC, page 24.

[4] Telstra Cyber Security Report 2014, page 30.

[5] Cambridge Centre for Risk Studies, University of Cambridge Judge Business School, Lloyd’s City Risk Index 2015–2025, February 2016, Lloyd’s at <www.lloyds.com>.

[6] Community Attitudes to Privacy Survey Research Report 2013, Office of the Australian Information Commissioner, 2013 (Community Attitudes Report), pages 3–5.

[7] Community Attitudes to Privacy Survey Research Report 2013, Office of the Australian Information Commissioner, 2013 (Community Attitudes Report), pages 3–5.

[8] Office of the Australian Information Commissioner, Mandatory data breach notification <www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification>.

[9] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 9, 39–40.

[10] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 2.

[11] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 2, 3.

[12] Privacy Act 1988 (Cth) s 13G.