Responding to data breaches

Part 4 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches

Overview of the Notifiable Data Breaches Scheme

Australia has had a mandatory data breach notification scheme since 22 February 2018 (Notifiable Data Breaches Scheme). The rationale for this scheme is that:[1]

“…if an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.”

Application and requirements

The Notifiable Data Breaches Scheme only applies if there is an ‘eligible data breach’. Businesses aren’t obliged to notify every data breach. Indeed, the Turnbull Government considered that it was inappropriate to notify minor breaches because of the administrative burden, notification fatigue for individuals, and the lack of utility where notification doesn’t facilitate harm mitigation.[2]

An individual is deemed to be at risk from an eligible data breach in two circumstances:[3]

1. There is unauthorised access to, or unauthorised disclosure of the information. From this, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to individuals to whom the information relates.
2. The information is lost in circumstances where unauthorised access to or unauthorised disclosure of the information is likely to occur. On the assumption that were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to individuals to whom the information relates.

If there is an eligible data breach, then the business must give the Information Commissioner a statement as soon as practicable after becoming aware of the eligible data breach.[4] The business must also notify the individuals to whom the relevant information relates or who are at risk from the eligible data breach of the contents of the statement.[5] The business must publish the statement on its website or take reasonable steps to publicise the contents of the statement if there is no website.[6] The statement must set out:[7]

• the business’ identity and contact details;
• a description of the eligible data breach that the business has reasonable grounds to believe has happened;
• the particular kinds of information concerned; and,
• recommendations about the steps individuals should take in response.

Businesses only need to notify if serious harm is likely

There is only an eligible data breach if ‘serious harm’ is ‘likely’. The word ‘likely’ means the risk of serious harm to an individual is more probable than not.[8] The intended threshold for ‘serious harm’ includes serious physical, psychological, emotional, economic, financial and reputational harm.[9] An individual’s mere distress or upset at unauthorised access to personal information is not necessarily ‘serious harm’.[10]

Save notification by immediately eliminating the serious harm risk

The Notifiable Data Breaches Scheme provides businesses with the opportunity to take immediate action to eliminate the risk of serious harm. If the action is successful then there is no obligation for the business to report the data breach.[11]

No requirement to notify suspected eligible data breaches

The trigger for the notification requirements is that there are reasonable grounds to believe that there has been an eligible data breach. However, if the business only has reasonable grounds to suspect a serious breach, the legislation obliges the business to move quickly to resolve the suspicion by assessing whether an eligible data breach has occurred.[12] The notification requirements come back into play if the assessment reveals an eligible data breach. The expected timeframe for the assessment is 30-days.[13]

Data breach response plans

All businesses should have an up-to-date data breach response plan. These plans enable businesses to respond quickly to the data breach, and can substantially reduce impacts of the breach, costs and potential reputational damage. Plans help meet Privacy Act obligations, limit the consequences of the data breach, and build trust with your stakeholders.[14]

Responding to data breaches

Generally, there are four key steps to follow when responding:

1. Contain the data breach to prevent any further compromise of personal information.
2. Assess the data breach by gathering the facts and evaluating the risks.
3. Notify individuals and the Office of the Australian Information Commissioner if required.
4. Review the incident and consider what actions can be taken to prevent future breaches.

However, the response will typically vary on a case-by-case basis. Depending on the breach, not all steps may be necessary or could be combined. Additional steps may be required too.

Avenging data breaches

Along with referring breaches to the Australian Federal Police for criminal investigation, businesses should consider seeking damages through civil litigation when their data has been unlawfully accessed. For example, civil torts such as trespass, nuisance and conversion may be available. There may also be scope to claim under the Australian Consumer Law for misleading or deceptive conduct.

Read Part 1, Part 2 and Part 3

For more information, please contact Coleman Greig’s Privacy and Data Protection lawyers.

^{[1] Commonwealth, Parliamentary Debates, House of Representatives, 19 October 2016, 2430 (Michael Keenan, Minister for Justice).}

^{[2] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 4 [11].}

^{[3] Privacy Act 1988 (Cth) s 26WE.}

^{[4] Privacy Act 1988 (Cth) s 26WK.}

^{[5] Privacy Act 1988 (Cth) s 26WL.}

^{[6] Privacy Act 1988 (Cth) s 26WL.}

^{[7] Privacy Act 1988 (Cth) s 26WK.}

^{[8] OAIC, Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (July 2019).}

^{[9] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 3-4 [9]-[10].}

^{[10] Ibid.}

^{[11] Privacy Act 1988 (Cth) s 26WF.}

^{[12] Privacy Act 1988 (Cth) s 26WH.}

^{[13] Privacy Act 1988 (Cth) s 26WH.}

^{[14] OAIC, Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (July 2019) 13.}