By Michael Swinson and James Patto. King & Wood Mallesons’ Melbourne office.
Earlier this year, after several frustrated efforts, Australia finally passed new mandatory data breach notification laws in the form of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (which will come into effect on or before 22 February 2018).
While much has already been written about the Act, there is still a degree of uncertainty as to how the new regime may play out in practice. In this article, we aim to guide readers through the practical application of the laws by reference to a number of hypothetical fact scenarios and, in the course of doing so, provide some practical compliance tips.
Scenario 1 — #meet the parties
Flashdance Enterprises (Flashdance) is a multi-billion dollar public company headquartered in Badger Creek, which exclusively sells disco lights. Swiss Cheese Systems (Swiss Cheese) is a marketing consultancy firm. Both are “Australian Privacy Principle (APP) Entities” for the purposes of the Act. Flashdance outsources its core marketing functions to Swiss Cheese and has provided Swiss Cheese with a copy of its complete customer contact list (including the credit card details of repeat customers) for this purpose.
A typical outsourcing contract will impose privacy obligations on service providers like Swiss Cheese in relation to the storage, use and disclosure of personal information that they may obtain in the course of performing their services. In addition, it is also common to see additional cyber security obligations requiring the service provider to follow certain technical and operational standards to prevent or mitigate the risk of data breaches (eg, mandatory software patching, vulnerability scanning, use of encryption, compliance with security audits, and so on).
In light of the new mandatory data breach notification laws, it would be wise for Flashdance to review the terms of its outsourcing contract with Swiss Cheese in order to confirm that it adequately deals with data breach detection and notification issues. In particular, Flashdance should ensure that:
- Swiss Cheese is required to immediately notify Flashdance on becoming aware of any data breach and to provide information and other assistance requested by Flashdance to assess the seriousness of and respond to any reported breach; and
- Swiss Cheese is prohibited from notifying any third party of a data breach without Flashdance’s express prior approval. In particular, the contract should state that Flashdance has exclusive control over any breach notices that may be required under the new mandatory data breach notification laws.
This second limb is critical, as it will ensure that Flashdance is able to control how a potentially awkward message is delivered to its affected customers. A key focus for any organisation in the wake of a data breach will be to limit any resulting harm to its reputation. It will certainly not be helpful for the organisation to find out that a service provider has unilaterally taken upon itself to contact customers about a data breach in which the service provider was involved. Inconsistent messaging in relation to the breach is likely to erode trust and compound brand damage.
In this context, it’s important to note an exception in the new data breach laws that is designed to prevent duplicate breach notices. The exception provides that where a breach would be notifiable by more than two entities (eg, in the case of a joint venture arrangement where both joint venturers may have obligations in relation to the same information, or an outsourcing arrangement where both customer and supplier may be custodians of the same information), only one entity needs to issue a breach notice. Accordingly, in our scenario, if Flashdance issues a notice, then Swiss Cheese will have the benefit of this exemption.
As a side note, additional factors could come into play if Swiss Cheese was based entirely offshore. In this case, Swiss Cheese may potentially not be directly subject to Australian privacy laws. If so, then any actions of Swiss Cheese in relation to personal information disclosed by Flashdance would be attributed to Flashdance, and Flashdance would be directly responsible for complying with the new notification regime in relation to breaches affecting Swiss Cheese outside Australia. In this case, it would be even more important for Flashdance to ensure that its outsourcing contract imposes appropriate cooperation and assistance obligations on Swiss Cheese. Further, Flashdance may insist on stricter indemnity protections in order to ensure that it will be kept whole in the event that an overseas breach by Swiss Cheese results in some direct liability for Flashdance in Australia.
Scenario 2 — #nothing to see here
Swiss Cheese identifies that its systems have been hacked by a disgruntled ex-employee who was recently fired for misconduct. While it can see that there has been some intrusion, it is too early to tell what information (if any) relating to Flashdance or its customers has been accessed, modified or used by the ex-employee.
As explained further below, a data breach only becomes an eligible data breach (ie, a breach that would trigger the notification requirements) if it is likely to result in serious harm to an affected individual. At this stage of our scenario, it is possible but by no means certain that an eligible data breach has occurred. However, if the contract that Flashdance has in place with Swiss Cheese is drafted well, then Swiss Cheese will still be obliged to notify Flashdance about the suspected breach so that they can decide on the next steps both organisations will take.
In order to comply with s 26WH of the Act, Flashdance and Swiss Cheese will be required to carry out a reasonable and expeditious assessment of whether there are in fact reasonable grounds to believe that an eligible data breach has occurred. They must use reasonable steps to ensure that the assessment is completed within 30 days of becoming aware of the breach. We would hope that the outsourcing contract with Swiss Cheese would allow Flashdance to take the lead in investigating and assessing the potential breach, and would include appropriate audit and cooperation provisions to require Swiss Cheese to assist in the investigation process (eg, by disclosing relevant information relating to the breach and providing access to any systems that may have been compromised for the purposes of forensic examination).
The assessment must be both “reasonable” and “expeditious” though there is no clear objective standard for meeting these criteria. In all likelihood, what is reasonable and expeditious will depend on the circumstances of each case, including the size of the potential data breach, the information required to properly assess the breach and so on. In some cases, if an organisation lacks specialist forensic skills required to properly investigate a breach, it may be reasonable to engage external security experts to assist with the assessment.
If the investigation reveals that a breach has occurred, then it would be sensible for Flashdance to immediately seek to implement remedial action to limit the impact of the breach. Section 26WF of the Act provides that if remedial action has been taken to prevent any serious harm resulting from a breach, then the notification obligations will not apply. Depending on the circumstances, remedial action may include things such as remotely wiping data stored on lost devices, resetting passwords, confirming that unauthorised recipients of compromised data have deleted it and so on. The sooner these remedial steps can be taken, the more likely it is that a breach notice will not be required.
Scenario 3 — #it’s a breach!
As a result of their investigation, Flashdance and Swiss Cheese identify that the disgruntled ex-employee logged into his still active user account and accessed the corporate email addresses and names of 20 of the representatives of Flashdance’s key corporate customers. After obtaining this information, he posted the information to a personal online blog stating that the people listed are doing business with “the devil”. His blog has an average of 10 visits per month.
Now that the parties have determined that there has in fact been a breach, they must determine whether or not it is an eligible breach for which a notification is required. A breach will be an eligible breach if either of the following conditions is satisfied:
- there is unauthorised access to, or disclosure of, personal information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harmto any of the individuals to whom the information relates; or
- personal information is lost in circumstances where unauthorised access to or unauthorised disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harmto any of the individuals to whom the information relates.
Flashdance is dealing with a situation where there has been unauthorised access to and disclosure of information, rather than any loss of information, so it is the first of these conditions that is relevant. The breach will need to be notified if a reasonable person would consider that the relevant access and disclosure would be likely to result in serious harm to the individuals affected (ie, the 20 customer representatives whose details have been taken).
The relevant Explanatory Memorandum[1] clarifies that “likely” in this context means more probable than not (so that a notice will not be required if there is only a remote possibility of harm eventuating from the breach) and s 26WG of the Act sets out a list of factors that should be considered when dealing with the question of “serious harm”. Some of these factors are:
- the kind and sensitivity of the information in question;
- whether the information is protected by a security measure (ie, encrypted or password protected) and the likelihood that those could be overcome;
- the kind of person who may have obtained access to the information (ie, if they are motivated by a desire to cause harm); and
- the nature of the harm suffered.
The Explanatory Memorandum also states that:
Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.[2]
In the authors’ view, in this particular fact scenario, it would be hard to argue that the misappropriation of corporate email addresses and names followed by disclosure on a private blog (albeit in an unflattering context) would be likely to lead to serious harm.
First, this information is not of a kind and sensitivity that would be likely to lead to serious harm if misappropriated. In many cases it would already be publically available on social media platforms such as LinkedIn, or even the customer’s corporate website. Second, the method of distribution of the information means that it is unlikely that the relevant disparaging remarks on a rarely frequented internet backwater will have a substantial impact on each of the individual’s reputations. Although there is potential for some reputational damage and distress to result from the disclosure, in the authors’ view it is likely to fall short of the “serious harm” threshold.
Weighing up these factors, it is likely that a reasonable person would conclude that the access to and disclosure of the information about Flashdance’s customers would not be likely to result in serious harm to the individuals concerned. However, it is not hard to imagine how a different conclusion could be reached in slightly different circumstances — for example, if the type of information disclosed included personal home addresses as well as work email addresses, and if it was posted on a widely viewed forum in a context that could damage the person’s professional standing or cause some personal humiliation (eg, posting details of oil company employees in a forum popular with environmental activists, with an exhortation to target those employees for harassment or abuse). In either case, Flashdance would be well advised to take steps to mitigate the risk of any further harm occurring (eg, by contacting the relevant website host to see if they can have the offending posts taken down).
While on the facts of our particular scenario the breach may not be notifiable, this does not mean that there are no potential consequences for Flashdance or Swiss Cheese. By failing to cancel the ex-employee’s system access, there may well have been a failure to adequately protect the personal information stored by Swiss Cheese, which could amount to a breach of relevant security obligations that apply under the Act. This could, in turn, prompt an investigation and some type of enforcement action by the Privacy Commissioner, such as a declaration that there has been a breach, and an order that specific actions be taken to ensure that it is not repeated.
Scenario 4 — #this time it’s financial
Flashdance engaged a third party investigator to help look into the breach affecting Swiss Cheese. However, unfortunately, it turns out that one of the investigator’s personnel had gone rogue and while carrying out the investigation duplicated Flashdance’s entire customer contact database (containing 100,000 entries, including home addresses and credit card details) intending to sell it to a criminal enterprise.
Once again, there is a clear data breach as the investigator has accessed and disclosed information in a way that was not authorised. However, in this case, the likelihood of serious harm arising is much higher. In particular, the information that has been misappropriated includes detailed personal and financial information and is much more prone to being misused to cause serious harm, such as financial fraud or identity theft, than a mere list of names and email addresses.
In addition, in this case, the person who has obtained access to the information has done so deliberately for criminal purposes, so that further harm is likely to ensue. Accordingly, in the authors’ view, it is likely that this breach would be considered to be an eligible data breach.
In order to discharge its notice obligations in relation to this breach, Flashdance would need to prepare a statement relating to the breach and provide the Privacy Commissioner with a copy of the statement as soon as practicable after becoming aware of the breach. The statement must contain the following information:
- the identity and contact details of each entity affected by the breach (in this case, both Flashdance and Swiss Cheese, noting that Swiss Cheese would not need to issue a notice of its own once Flashdance has done so);
- a description of the breach;
- the kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the serious data breach.
The last section of the notice is perhaps the most important — a key purpose of the notice regime is to ensure that individuals affected by a data breach are educated on how to protect themselves against any ensuing threat. Naturally the precise recommendations in each case will depend on context of the breach and the type of information that has been affected. However, in the present case, recommendations could include that affected individuals:
- contact their bank to cancel their credit cards or otherwise review their account statements for signs of any fraudulent activity;
- beware of suspicious messages that could be sent by a third party fraudster using the stolen information in order to fish for further details that could be used for purposes of identity theft (eg, emails asking for driver’s licence or passport details, or asking to confirm credit card PIN); and
- asking major consumer credit-reporting bureaus to place a fraud alert on their name.
As well as providing its prepared statement to the Privacy Commissioner, Flashdance will also need to take steps to provide the same information from the statement to individuals affected by the breach. There are a few ways in which Flashdance may discharge that obligation:
- if practicable, provide a copy of the statement to each individual to whom the compromised information relates (ie, every customer in the Flashdance database) or alternatively to each individual who is at risk from the eligible data breach (ie, if Flashdance has grounds to think not all customers are at risk of serious harm — for example, if some customer records did not include any payment details or other information beyond a corporate email address — then Flashdance may choose instead to only notify the subset of customers at risk); or
- if neither of those is practicable, publish a copy of the statement on Flashdance’s website and take reasonable steps to publicise the content of the statement (eg, by including notices in Flashdance’s social media feeds or in future customer communications, such as in newsletters that Flashdance produces and distributes about its business).
Of course, this may only form part of Flashdance’s overall public relations strategy for dealing with this incident. Customers who receive the notice issued by Flashdance to comply with the breach reporting obligations may have further questions, so Flashdance may wish to set up a frequently asked questions (FAQs) page on its website or establish a dedicated hotline to deal with customer queries. Flashdance may also wish to provide regular updates on its website about further mitigation and correction activities that are occurring internally, in order to demonstrate its commitment to dealing with the incident in a transparent manner and mitigate any damage to its brand and customer relationships.
Scenario 5 — #don’t do this
Flashdance’s CEO is away on holiday at the time the breach is uncovered. In her absence, no one else at Flashdance feels empowered to issue a breach notice. Instead, the management team decided it is better to wait until the CEO returns. By the time the CEO arrives back in the office, all of the management staff have forgotten about the breach and Flashdance does not end up notifying the Privacy Commissioner or any of its customers about the breach.
In this case, it is relatively clear that Flashdance will have failed to comply with its notice obligations. This will constitute an interference with the privacy of an individual whose information was misappropriated. If the Privacy Commissioner independently becomes aware of the breach (eg, by receiving a complaint from a member of the public), he or she may order Flashdance to issue a breach notice. The Privacy Commissioner will also have the full range of ordinary enforcement options available under the Act, including powers to carry out an investigation into the incident and to make a determination that Flashdance has breached the Act and must take certain steps to ensure that the breach is not repeated or to redress any loss or damage suffered by its customers as a result of the breach. Any such determination could be enforced in the Federal Court.
In addition, the Privacy Commissioner has the option of bringing an action in the Federal Court to seek a civil penalty for a repeated or serious failure to comply with the data breach notification regime. In the present case, the lackadaisical manner in which Flashdance management has dealt with a serious breach could potentially prompt this type of action, even if it is not repeated. The maximum penalty that can be awarded under the Act is 2000 penalty units (or $1.8 million for a corporation, at time of writing), though a breach would need to be considered particularly egregious for the penalty to reach that level.
Conclusion
The introduction of the mandatory data breach notification laws is a significant change to Australia’s privacy regime. It is important for businesses to ensure that they have internal processes in place that will enable them to respond to data breach incidents effectively and in a manner that satisfies the new notice requirements. The Privacy Commissioner has published guidelines on how to develop a data breach response plan, which will no doubt be updated in the wake of the new laws. It would be sensible for organisations to consult these guidelines to test whether the processes they currently have in place are sufficiently robust. However, they should not simply treat this as a “tick the box” compliance exercise. Swift and decisive handling of data breach incidents is not only important for managing regulatory risks, it is also critical for preserving customer trust and market reputation. Accordingly, having a sensible data breach response plan in place makes good business, as well as legal, sense.
Note: It was first published in Australian Media, Technology and Communication Law Bulletin published by LexisNexis.
[1] Explanatory Memorandum Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).
[2] Above n 1, at [9].