Cyber Security
no notification obligation, because it is unlikely that any individual will suffer serious harm. The OAIC can challenge that decision. The OAIC can also investigate where it becomes aware of a possible breach and there has been no notification. Again, this would be a CII, as it would not arise from a complaint being lodged by any individual, but from the OAIC forming a view that there may have been an interference with the privacy principles warranting investigation. The OAIC may couch the investigation in terms of compliance with the data notification provisions of the Act or APP 11 (the obligation to take reasonable steps to secure personal information). If you decide not to notify, you should think about the possibility of an investigation and retain records of the basis of your decision. It may also be prudent to seek legal advice, as some of the provisions in the Act are complex. It is worth remembering that legal advice may be privileged (and so not discoverable) in any subsequent legal proceedings. In the US, many internal data breach investigations are led by the in-house legal department, as part of the data breach response plan, which may extend legal professional privilege over all investigative and forensic reports .
Will my organisation be fined? Unlike other jurisdictions (such as the UK), the OAIC cannot issue fines. An application must be made by the OAIC to the Federal Court for the imposition of a civil penalty. The OAIC can make such an application only in the case of serious or repeated interferences with the privacy principles, or the data breach notification provisions. The Federal Court will determine the amount of the civil penalty, which could be up to $1.8 million in the case of corporations. Given the Commissioner’s light touch approach to enforcement of the data breach provisions, it seems unlikely that the OAIC would seek a civil penalty for a failure to notify or for circumstances relating to a notified data breach, unless there are particularly serious circumstances, for example a failure to notify in circumstances where notification would have given a large number of affected individuals a real opportunity to mitigate the damage from the breach.
Can my organisation be sued? There is no individual right to sue for breach of the Privacy Act (including, the data breach notification obligations in the Act). There is also some doubt about the existence of a right to sue for breach of privacy under Australian common law. Although there are indications that the courts may entertain a tortious claim of breach of privacy, it would be a change to the current law and such a claim is not the sort of ground breaking test case an average litigant would be keen (or wealthy enough) to take on. Suits could be brought based on negligence, such as an organisation’s failure to take reasonable steps to prevent a data breach. To date, no such actions have been brought in Australia and establishing causation and proving loss may prove difficult.
20 | Australian Cyber Security Magazine
Conclusion As part of your data breach planning, do not expect the media to be nice. Think about how the press might report the incident and be prepared to address any negative spin. Remember, your data breach will get into the press, especially once you’ve given notice, and they like to beat up a good data breach story. If you decide to notify, consider what you’re going to tell the OAIC and provide enough information to reassure them that the breach has been stopped, that you’re looking after the people affected and that the breach won’t reoccur. If it’s clear that some failure in your systems has led to the breach, think about offering an enforceable undertaking. If you are involved in an investigation, be as co-operative and helpful as possible. Remember, the Commissioner does not want to punish organisations and, in the first instance at least, will look to educate and guide them to a better understanding of their obligations. Finally, it’s unlikely that you’ll be sued or that you’ll be fined, but that is no reason for complacency. Mitigation costs and reputational damage can still hit hard – just ask Sony, Target, Anthem and the Australian Bureau of Statistics. Disclaimer Ringrose Siganto publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories. About the author Dr Siganto is a partner in law firm Ringrose Siganto, and a highly experienced ex in-house legal counsel. She is an information security and privacy expert and a long-time specialist in information security training. Dr Siganto has been sought out by government departments, international corporations and Australian businesses to advise them on a range of privacy and security issues, including conducting privacy compliance reviews, impact assessments and reviewing technology contracts of all types. In addition to her other work, Dr Siganto pursues research projects into cyber security issues, particularly around the human aspects of information security and regularly talks on issues such as data breach notification, information security practice and cyber security skills. Earlier this year, the Federal Government passed new rules on mandatory breach notification into Australian law. Commencing February 22nd, 2018 many Australian businesses and organisations will no longer be able to remain silent if there is a data breach. The rules are aimed at directing entities to become active in protecting the personal information they hold on behalf of their clients and customers, implementing effective data breach response plans and taking appropriate steps to protect individuals whose information has been lost, stolen or compromised. How can you determine if it’s something that applies to your organisation and what can you do about it? Let’s look at the new rules and how they should be interpreted.