Data breaches are becoming as lucrative as the global drug trade. Massive data breaches are almost a daily occurrence. The Privacy Rights Clearinghouse reports that in the first eight months of 2015 there were 120 million personal records breached globally. This is up from 70 million for the full year of 2014.
Against this backdrop, a recent survey of boards by North Carolina University found that cyber breach was in the top three risks concerning directors. Anecdotally we know the same is true of boards in Australia.
The draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is set to take this fear to a whole new level. The recently released Bill will require notifications to be sent to individuals whose personal information may have been exposed in a data breach.
Currently there is no legal obligation to notify a person if their information has been compromised. This new notification scheme will apply to any company that is currently subject to the Privacy Act. In general, any company that has an annual turnover of more than $3 million will therefore be subject to the notification scheme.
Some commentators have questioned whether the $3 million threshold is appropriate. The government has to balance protecting the public's privacy with concerns from Australia's 2 million small businesses about excessive compliance costs. In that regard the $3 million threshold seems appropriate.
Presumably the logic is that it will generally be the large companies that collect the most personal information and therefore will have the greatest effect on the public if they suffer a data breach. It is also worth noting that small businesses have always been exempt from the Privacy Act, so it is consistent that the notification scheme should not apply to them.
What is the threshold for notification under the Draft Bill?
A company will need to make a notification if it is aware, or importantly, if it ought to have been aware, that there are reasonable grounds to believe that it has suffered a serious data breach. A serious data breach is considered to be one where there is a "real risk of serious harm" to any of the individuals whose information has been the subject of the breach.
Determining exactly what constitutes a real risk of serious harm is not easy. Many data breaches cause little or no direct harm to individuals. The Explanatory Memorandum to the draft Bill gives some guidance as to what would constitute a "real risk of serious harm".
However, until there is some court consideration of the term it will be potentially quite a complicated decision for a company to make as to whether or not to notify.
What does a board need to do to be ready?
Assuming that the draft Bill passes parliament in its current form, companies will have 12 months from enactment to get ready. Companies will need every moment of that 12 months to prepare.
The draft Bill gives companies 30 days in which to conduct an assessment as to whether a serious data breach has occurred. If a notification is required, a detailed notice must be sent to the impacted individuals.
In order to comply, a lot of background work needs to take place quickly. For example, IT forensics need to be engaged, notifications need to be drafted, PR engaged and call centres spun up to deal with customer enquiries.
Companies should ensure that they have a well-tested data breach response procedure in place so that they can meet the 30 day timeframe.
Companies should also start to think now about cyber insurance. The losses from a cyber attack (including the cost of notifications) can be significant and cyber insurance can help to mitigate the risk.
These policies are becoming more common but care should be taken to read the fine print as the exclusions can often render the policies of limited value.
The draft Bill should be seen as a wakeup call. Companies need to be taking steps now to defend against cyber attacks and to be prepared to respond appropriately if breached.
We know that when the US introduced mandatory data breach notification laws, the number of reported data breaches jumped exponentially. There were 110 breaches notified to the Office of the Australian Information Commissioner in 2015. It is possible that we could see an increase of many times this number when this legislation takes effect.
Submissions on the draft Bill are due by 4 March, 2016.