Big business faces new data breach notification laws

Australian businesses with an annual turnover of $3 million or more will have to disclose information breaches that involve individuals’ personal information, under new laws passed in Parliament.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced into Parliament on 19 October last year, and was passed into law after debate in the Senate on 13 February.

The passing of the long-awaited legislation puts into motion new laws that will see local organisations that are subject to regulation by the Privacy Act required to notify the Australian Information Commissioner and affected individuals of an eligible serious data breach.

In instances where it is not certain that a breach has occurred, the new laws give organisations up to 30 days to investigate whether a breach notification is needed.

According to the Bill’s explanatory memorandum, an eligible data breach will occur in situations where unauthorised access to, or unauthorised disclosure of, information would be likely to result in serious harm to any of the individuals to whom the information relates.

The explanatory memorandum also notes that breaches are not limited to malicious actions, such as theft or “hacking”, but may arise from internal errors or failure to follow information-handling policies that cause accidental loss or disclosure of individuals’ personal information.

However, in order not to impose an “unreasonable compliance” burden on local businesses, and to avoid the risk of “notification fatigue” among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement.

As it stands, the legislation relates to personal information, tax file number information, credit card information, and credit eligibility information deemed to pose “real risk of personal harm”.

Prior to the new legislation, mandatory data breach notification requirements applied only in the event of unauthorised access to certain eHealth information under the My Health Records Act 2012.

Until now, such reporting has been voluntary under the existing laws.

The proposed scheme is expected to apply to around six per cent of Australian businesses, as the Privacy Act exempts small businesses – entities with an annual turnover of $3 million or less.

The legislation passed without amendment, despite attempts by Greens Senator, Scott Ludlam, to move a motion that would have seen the legislation apply to organisations with a turnover of less than $3 million, and a motion to shorten the 30-day investigation window.

Page Break

Both proposed amendments were voted down.

“The threshold, according to who this bill applies to, shouldn’t have anything to do with turnover,” Ludlam said during a debate on the Bill in the Senate. “It should have more to with how much data these organisations are holding.”

Ludlam also questioned why the legislation does not apply to political parties.

As noted in the Bill’s explanatory memorandum, the new provisions are expected to see businesses affected by the new legislation incur a cost related to compliance.

“Whilst not quantified, a number of administrative costs have been identified by industry groups, such as creating notification methods, formalising internal processes and increased insurance and legal costs,” the explanatory memorandum stated.

In September last year, CyberArk released research findings that suggesting that just 34 per cent of Australians surveyed felt their businesses were completely prepared to handle mandatory breach notification requirements.

“It can be inferred, therefore that there is a lack of confidence about either being able to identify a breach, or in existing emergency response plans – including providing the necessary information to the executive team, who would be responsible for the public breach notification,” the survey report stated.

Among the local channel community, the legislation has received mixed reviews.

Mandiant director of threat intelligence and consulting, Tim Wellsmore, suggested late last year that he was not sure that the public and industry had enough clarity around what the legislation was trying to achieve.

"Are we trying to put in breach disclosure legislation to protect the privacy of individuals? And if so, [the legislation] doesn’t reach all of the requirements to do that. From my reading of it, small to medium enterprises are not included,” Wellsmore said, mirroring Ludlam’s concerns.

"I don’t think we have a clear success goal here. If we are here to try and protect the privacy of individuals then if any individual data has been leaked, people need to know about it, and yet we have all those exemptions,” he said at the time.

The new laws will come into effect by either a proclaimed date, or a year after they receive Royal Assent.