Australian mandatory data breach regime moves closer to reality

As mentioned in our previous legal update, the Attorney-General’s Department has released an exposure draft of the Australian Government’s promised mandatory data breach notification bill. The Attorney-General’s Department sought comments on an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill). The time for submissions has now closed and the Attorney-General’s Department has published a number of the non-confidential submissions in relation to the Exposure Bill on its website.

What submissions were made?

The published submissions were made by 45 separate organisations, agencies and individuals, including:

• industry and consumer groups;
• regulators, government departments and law reform agencies; and
• major Australian and international companies.

Many of the submissions raised similar issues, including:

• concerns about the scope or lack of definition of key terms in the Exposure Bill, such as ‘real risk’ and ‘serious harm’;
• the possibility of ‘notification fatigue’ arising from too many data breach notifications being received by consumers;
• as a related issue, the possibility that under the Exposure Bill potentially inconsistent multiple notifications of the same data breach may be required, which could require notification of a data breach by the organisation that collected the personal information and also by the cloud service provider whose service was the subject of the actual data breach;
• the application of the Exposure Bill to undetected breaches that organisations ought reasonably to be aware of; and
• the timing of requirements to notify affected individuals of the occurrence of the data breach (including the opportunity to consult with the Australian Information Commissioner in relation to the breach).

What’s next?

The Attorney-General’s Department is likely to take some time to consider the submissions and may recommend changes to the Exposure Bill before it is introduced to Federal Parliament. Given recent forecasts of an early Federal election, it remains to be seen how a possible election could affect the progress of a bill through the Federal Parliament.

In the event that a bill is introduced into Parliament but does not pass through both houses prior to an election, the bill will lapse on the dissolution of Parliament. This was the fate of the previous Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) under the former Labor government.

However, notwithstanding a possible early election, there is every indication that the introduction of a mandatory data breach notification regime has the support of the major political parties. We still consider it likely that a bill will be introduced to Parliament and passed during the course of this year, with the law to take effect in late 2017.

What should I do?

Accordingly, organisations should continue to be pro-active in this area and should start preparing for the introduction of mandatory data breach notification obligations as part of their overall cyber-risk management strategy.

As part of being able to effectively manage cyber-risk, organisations will need to have a data breach response plan setting out what to do if a breach occurs. Many breaches arise from weaknesses in vendors’ systems, rather than organisations’ own systems. It is therefore also important to have a vendor cyber-risk management framework in place. Our Australian Privacy and Cyber-risk Team has worked with our colleagues overseas to develop two fixed price global best practice cyber-risk management packages to address these issues. Please contact us for further details.