New Data Breach Notification Laws

On 19 October 2016, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was presented to the Australian Federal Parliament. This Bill seeks to impose data breach notification obligations on organisations and agencies where a person’s personal information is involved. Both the Liberal Party of Australia and the Australian Labour Party have expressed support for such a scheme. 

Overview 

The Bill proposes to insert ‘Part IIIC – Notification of eligible data breaches’ into the Privacy Act. This law will apply to any entity who holds personal information relating to one or more individuals, as well as credit reporting bodies, credit providers and recipients of tax file number information.

An ‘eligible data breach’ for the purposes of the Bill is where there is unauthorised access to, disclosure, or loss of personal information held by an entity which is likely to result in serious harm to any individual that the information relates to. This includes financial, economic, physical, psychological or emotional harm. There is also an ‘eligible data breach’ where information has been lost in circumstances where the unauthorised access to, disclosure, or loss of personal information is likely to occur. In either of these cases, the individual that the information relates to is considered to be ‘at risk’. 

Under the new scheme, in certain circumstances an entity must give a notification to the person or persons who are at risk.

Failure to comply with obligations under the proposed new law will be deemed to be an interference with the privacy of an individual and can give rise to an investigation by the Privacy Commissioner, and civil penalties in serious cases. 

Recent Data Breaches

In recent years, we have seen various data breaches, including the Sony data breach of 2014 where a cyber-attack compromised the personal information of around 47,000 Sony employees, including unique Social Security numbers and medical information. Many documents were also leaked, including emails between Sony senior executives. The hack led to four lawsuits from former Sony employees and eventually resulted in a settlement worth almost US$8 million. Similar leaks have reportedly occurred in 2016 in large companies such as Seagate and Verizon, where either employee or customer information has been stolen or leaked. 

These examples clearly show that no organisation is immune to data breaches. Australian organisations that hold personal information should be aware of their obligations under the new Bill, which is likely to be passed before the end of the year, and take steps to ensure that they can and will comply with its provisions. 

Alan Arnott is a technology lawyer with qualifications in computer science and law. He has significant experience advising hi-tech companies and is the founder of Arnotts Technology Lawyers and DocuStream?.