Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Most companies in Australia will be required in 2018 to notify the national privacy regulator and affected individuals of certain data breaches under long-awaited legislation that cleared Parliament Feb. 13.
Australia will become one of only a handful of Asia-Pacific countries with a breach notice law. The Philippines has a general breach notice law and Japan and China have limited breach notice requirements. Most multinationals already are familiar with the concept as 47 U.S. states and several Latin American countries have breach notice laws on the books. Sector-specific breach notice laws, primarily in the electronic communications sphere, have been in place for several years in Europe, and a new European Union privacy regime that takes effect in May 2018 includes a general data breach notice requirement covering nearly all companies.
The law covers companies with revenues in Australia of over A$3 million ($2.3M). This means most multinationals that do business in Australia will exceed the revenue benchmark. For example, Jeld-Wen Holding Inc., a Charlotte. N.C.-based maker of doors and windows, did A$133.8M in sales in Australia in the last quarter of 2016, Bloomberg data show.
Companies faced with these laws have experienced increased compliance costs in monitoring cybersecurity incidents to determine if notification is required and in providing actual notification to individuals. In June 2016, the Traverse City, Mich.-based Ponemon Institute estimated that the average notification cost for surveyed U.S. companies per breach was $590,000. Meanwhile, breach notice costs reported by Australian companies under its voluntary breach notice system was only $60,000. Costs in Australia to provide breach notice are likely to rise as the required breach notice there increases.
There are “some tricky questions for a company trying to determine whether they are required to notify” and businesses could seek advice from the privacy commissioner on whether a breach met notification criteria, Brendan Tomlinson, information technology special counsel at the Maddocks law firm in Sydney, told Bloomberg BNA.
The legislation includes a risk of harm trigger limiting when companies must give notice within 30 days of discovering a breach. The law requires notification of an “eligible data breach” involving unauthorized access to or disclosure of personal information that a reasonable person would conclude “is likely to result in serious harm” to an individual to whom the information relates.
Serious harm isn’t defined in the bill. Factors cited to determine whether serious harm is likely include the sensitivity of the information breached, the type of person who might gain access to the information, and the nature of the harm that may result from a breach. The legislation doesn’t specify the types of serious harm that can be considered notifiable, but an official explanatory memorandum on the measure says the harm can be physical, psychological, emotional, economic, financial or reputational.
Companies should be familiar with the potential risk analysis tied to economic harms such as identity theft or credit card fraud. The psychological, emotional and reputational risks are akin to harms discussed in other contexts, such as in personal negligence and other tort claims, and may be less familiar in the breach notice context. They aren’t cited as a data breach risk of harm trigger for most breach notice statutes, although many statutes don’t require any evidence of risk OF HARM(?) to trigger the notice obligation.
Attorney-General Senator George Brandis Feb. 13 told the Senate it would be “very difficult, indeed I dare say impossible to legislatively define” the threshold at which a breach would constitute a risk of serious harm.
Although defining the risk of harm threshold may be hard, “a body of precedent and practice will develop as the legislation operates” to clarify what constitutes serious harm, Brandis said.
This would be “assisted by the publication of compliance guidance by the Office of the Australian Information Commissioner,” he said. The Office of the Australian Information Commissioner hosts the Office of the Privacy Commissioner.
Tomlinson predicted that the privacy commissioner would be busy making breach notice evaluations and that the number of breach notices will rise above the levels seen now under the voluntary notice scheme.
Privacy commissioner Timothy Pilgrim welcomed the passage of the legislation. “My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement,” he said in a Feb. 13 statement.
Data Governance Australia Chief Executive Jodie Sangster told Bloomberg that many companies have been operating in line with the existing voluntary breach notification regime, so making it mandatory “in many respects won’t be a huge change.” Data Governance Australia is a non-profit group that works with companies that handle data to establish data security and other best practices.
Penalties for failure to meet the breach notification requirements are governed by the sanctions outlined in the Privacy Act. Civil penalties under the Privacy Act for include maximum fines of up to 2,000 penalty units. Penalty units are a measure set by the government each year. The latest penalty unit figure was set at A$180 ($138), so the maximum fine under the Privacy Act would be approximately A$360,000 ($275,418).
To contact the reporter on this story: Murray Griffin in Melbourne at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Further information on the data breach notice bill is available at http://src.bna.com/ma8.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)