Mandatory breach reporting and the case for tighter security
Cyber security breaches are now so prevalent, they almost seem an everyday occurrence. Those security breaches that place personal information in jeopardy tend to be particularly newsworthy, because the harm becomes particularly human (privacy is, after all, a human right).
The new Privacy Act 2020 (the Act) does not overlook the connection between privacy and security.
Information Privacy Principle (IPP) 5 is retained from our previous 1993 privacy law, requiring that personal information is protected by such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, unauthorised use, unauthorised modification, unauthorised disclosure, and other misuse of that information.
But IPP 5 is not the only mention of security precautions in the Act.
Reporting requirements for privacy breaches
The new mandatory breach reporting regime places significant new obligations on those that collect, store, use or disclose personal information. For the first time, there are very real consequences for privacy breaches that have caused, or are likely to cause, serious harm to individuals.
On top of managing the fallout if any privacy breaches do occur, organisations now need to carefully monitor whether the new notification obligations in the Act are triggered. Fail to notify where you were required to under the Act, and your business now risks criminal liability and may face a $10,000 (maximum) fine.
For some, the increased fines available to the Privacy Commissioner under the Act will be consequence enough. Though, corporates of a certain size might consider the maximum fine under the Act a paltry sum, they shouldn’t overlook that privacy matters referred to the Human Rights Review Tribunal may lead to awards of compensatory damages (potentially up to $350,000).
Beyond this, a much more meaningful deterrent – one which will be felt by all organisations regardless of wallet size – will be the significant reputational damage suffered, when a privacy breach is serious enough to become notifiable.
What does ‘notification’ actually entail?
Organisations may be required to notify the Privacy Commissioner and affected individuals under the Act. Notification is required as soon as is practicable after becoming aware of the occurrence of a notifiable privacy breach.
Organisations may also need to provide public notice of the privacy breach, if, for example, the breach affected a large number of individuals or the specific circumstances otherwise mean it is not practical to notify all affected individuals.
If a notifiable privacy breach does occur, the Act’s requirements to provide notification are fairly extensive.
In any notification to the Privacy Commissioner your business will need to describe the privacy breach, referring explicitly to how many individuals are affected (if known), and the identity of any person or entity that you suspect may be in possession of personal information because of the privacy breach (if known).
In addition, notification to the Privacy Commissioner will need to:
- explain the steps you have taken (or intend to take) in response to the privacy breach, including whether any affected individual has or will be contacted;
- explain any reliance under the Act by your business on providing notice to the general public rather than direct notice to affected individuals (if any);
- if your business has relied on the Act’s provisions that permit an exception to (or delay in) complying with the requirement to notify affected individuals or give public notice of notifiable privacy breach, state the provision relied on and set out the reasons for relying on the exception (or the need for a delay as well as the expected period of delay);
- state or describe in general terms any other people or entities that have been contacted about the privacy breach, and the reason for making such contact; and
- provide details of a contact person for your business.
The notification requirements to affected individuals are similar, however you also need to advise the individual of any steps they may wish to take to mitigate or avoid any potential loss or harm, that they have the right to make a complaint to the Commissioner and whether your business has identified any person (or entity) that you suspect may be in possession of personal information because of the privacy breach.
Care must be taken to not actually identify any person or entity that is suspected of possessing the individual’s personal information (unless such information is necessary to prevent or lessen a serious threat to an individual’s life or health) and to not identify any other affected individuals when notifying individuals of any privacy breach that has occurred.
Under the Act organisations are able to provide the various elements of the required notification incrementally – but any information that is available at any point in time must be provided as soon as is practicable.
Once the Privacy Commissioner has been notified of your business’ notifiable privacy breach, they might also choose to publish the identity of your business. If your business does not provide its consent to do this, the Privacy Commissioner may still publish your business’ identity if satisfied that it is in the public interest to do so.
It is important to bear in mind that not all privacy breaches will be notifiable privacy breaches. But those that are may attract liability under the Act and cause significant reputational damage with your customers.
What privacy breaches are ‘notifiable’?
A notifiable privacy breach is a privacy breach where it is reasonable to believe the privacy breach has caused, or is likely to cause, serious harm to individual(s).
The Act and the guidance provided by the Commissioner to date (including the online NotifyUs tool) is limited in nature to defining the process of assessing whether serious harm has or is likely to occur and stops short of actually defining “serious harm”.
Organisations should always assess whether serious harm has or is likely to occur from the view of the individuals whose personal information has been affected by the privacy breach.
Serious harm is much more likely to exist if the privacy breach could cause an individual to suffer any of the following types of harm:
- physical harm or intimidation
- financial fraud, including unauthorised credit card transactions or credit fraud
- family violence
- psychological harm
- emotional harm
Organisations should also be alert to whether any unique circumstances may mean a privacy breach could cause serious harm to an individual in a way that might not be the case for others.
For example, a privacy breach identifying contact details or an address of a public figure may be more likely to cause serious harm than to the average person. Likewise, that privacy breach is clearly going to impact an individual trying to avoid a violent former partner more than the average person.
While any steps taken to address the privacy breach will not be a valid defence for any failure to notify the Commissioner of a notifiable privacy breach, your business can take steps to help prevent privacy breaches from crossing the threshold into being a notifiable privacy breach.
How to get the most from your organisation’s security measures
Our recommendation to organisations is to be proactive. Well implemented security measures will help your business avoid privacy breaches. But, security measures can and should also be used to limit the impact of any data breach that may occur.
It may be well worth implementing security measures that go above and beyond the reasonable security safeguards required by IPP 5 if the effect of having those measures differentiates a data breach from being a notifiable privacy breach under the Act.
For example, encryption, two-factor authentication and ensuring user access permissions only provide staff with access to personal information held by your organisation on a “need to know” basis are some simple but effective strategies that may help to reduce the likelihood of a privacy breach becoming a notifiable privacy breach.
Data that ends up in the wrong hands but is not readable by the recipient due to being encrypted is unlikely to be viewed as “serious harm” requiring notification under the Act. For example, an encrypted USB drive with personal information on it that is left behind on a train amounts to a loss of the data, but if the data is not accessible due to being encrypted, it would be hard to see how such a loss would be likely to cause serious harm and amount to a notifiable privacy breach under the Act.
Similarly, if an attacker gained access to user account passwords – itself a serious security vulnerability requiring an immediate response – but was unable to actually use the account due to two-factor authentication or if the account did not have access to any personal information due to its user access permissions, then the likelihood of such a breach causing serious harm requiring notification under the Act will be lower than if these measures were not in place.
Organisations should implement data security measures with both malicious attackers and inadvertent disclosure (including due to human error) in mind for good data governance.
Get in touch
Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice on best practice for managing your customers’ private information. Please feel free to get in touch with our data protection and privacy team if you require further assistance.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.