The consequences for an Australian business victim for a breach of cyber security are forecast to exponentially increase. In February 2015 the Parliamentary Joint Committee on Intelligence and Security (Committee) recommended the introduction of mandatory data breach notification scheme (Scheme) by the end of 2015.[1] Whilst the details of the incoming Scheme are currently scant, it is understood that the enacting legislation will have bi-partisan support in federal parliament.
Mandatory data breach notifications requirements a la the Scheme are far from a recent development. They were first recommended by the Australian Law Reform Commission in 2008 and have been in place in the United States since 2003.
Lessons from the United States
Australian businesses have the benefit of approximately fifteen (15) years’ worth of practical guidance from the United States alone. In these fifteen (15) years it is estimated that 675 million data records have been reported as being compromised and 783 data breaches occurred last year alone.[2]
By and large the United States experience demonstrates the significant costs incidental to a data breach that may arise by virtue of mandatory notification schemes. Amongst these costs are the damages to reputation and public relations and the potential litigation commenced by notified parties.
Preparing for the change
Australian businesses should take heed of the United States experience and undertake a comprehensive review of their data breach policies. By ensuring that your policies for reacting to a data breach are airtight you can mitigate any damage that may arise from your obligations under the Scheme. The guidelines for dealing with data breaches released by the Office of the Australian Information Commissioner in 2012 provide a solid foundation (outlined by Dundas Lawyers here) for preparing a policy but you should seek professional advice to develop a policy more tailored to your individual business.
Links and further references
Office of the Australian Information Commissioner, A guide to securing personal information
Office of the Australian Information Commissioner, A guide to data breach preparation and response
Further information about data security
If you would like further advice on your obligations concerning data breaches please contact us for a confidential and obligation free discussion.
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Smith, P, Litigation, PR disasters and higher insurance costs expected from new data breach laws, (2015). Accessed at http://www.afr.com/technology/litigation-pr-disasters-and-higher-insurance-expected-from-new-data-breach-laws-20150805-gis75j accessed on 13 August 2015.
[2] Parliamentary Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, (2015) at p. 299.
Related insights about data security
-
What are adequate cybersecurity measures?
The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group). One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors. …
-
Privacy Act amended to increase penalties to a max of $50 million
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
-
What should APP Entities include in data destruction policies?
This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.
-
Introduction of cryptocurrency and hacking offences to Parliament
The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 is set to revolutionize the way cybercrime is prosecuted. Learn more about the changes it brings and the implications they have.
-
Uber found in breach of Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
Overview of the Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
