International focus

2016 Mandatory Data Breach Notification Bill – latest update

Authors Tricia Hobson, John Moran, Reece Corbett-Wilkins

After much anticipation, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was introduced into the Australian Parliament on 19 October 2016. If passed, organizations and Commonwealth government agencies subject to the Privacy Act 1988 (Cth) will be required to notify affected individuals and the Australian Privacy Commissioner of ‘eligible data breaches’. This affects Commonwealth government agencies and organisations that have a turnover of more than A$3 million annually, as well as some small businesses such as private health service providers.

What’s changed since the 2015 exposure draft?

As outlined in the Bill’s accompanying explanatory memorandum, there have been a number of changes to the Bill since last year’s exposure draft circulated by the Attorney-General’s Department. Some of the key changes include:

• A change in terminology, with data breaches that are covered by the Bill now being referred to as ‘eligible data breaches’ rather than ‘serious data breaches’.
• A change to the notification requirement threshold, with eligible data breaches only covering situations where there is a ‘likely risk of serious harm’ (rather than the previous ‘real risk of serious harm’ wording in the exposure draft).
• The removal of a requirement to notify data breaches that an entity ought reasonably to have been aware of.
• The addition of a new exception to cover situations where remedial action is taken by the entity that suffers an eligible data breach, with the effect that data breaches will no longer be considered to be an eligible data breach (and therefore notification will not be required) if the remedial action would be considered by a reasonable person to mean that there is no longer a likely risk of serious harm.
• Amendments to the factors that are stated in the Bill to be relevant to determining whether there is a likely risk of serious harm, including to recognise the use of security technologies in relation to that information.
• Clarification of when a notification must be given to affected individuals (as opposed to publishing it on the entity’s website).
• Expansion of the factors which the Privacy Commissioner must take into account in assessing whether to exempt an entity from providing notification.
• Clarification of the notification requirements where two or more entities jointly and simultaneously hold information which is the subject of the data breach.

While some of the more objectionable elements of the exposure draft have been removed or pared back, the essence of the Bill remains the same. Organisations and Commonwealth Government agencies will have an obligation to notify the Australian Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs. A failure to do so will be deemed to be an interference with the privacy of the individual(s). Civil penalties of up to A$360,000 for individuals and A$1,800,000 for bodies corporate may apply for serious or repeated interferences of privacy.

What does this mean for you?

As the introduction of a mandatory data breach notification scheme has previously received bipartisan support, it is possible that the Bill could pass relatively quickly through the Parliament. Although the Government has previously committed to passing the Bill in the Spring 2016 Parliamentary session, it remains to be seen whether this occurs.

If passed, the Bill will likely commence 12 months after receiving Royal Assent (if not sooner). While this may seem like a long time away, entities should start preparing for the proposed notification requirements now.

In its current form, the Bill will require entities to act quickly in assessing whether notifications need to be made. Upon becoming aware of a suspected eligible data breach, entities will have 30 days to confirm whether an eligible data breach has occurred and if it has, entities will be required to notify as soon as practicable thereafter.

Given the fast paced and constantly evolving nature of data breaches (and other cyber-incidents), there is little opportunity for ‘learning as you go’. Please contact us should your organization require any assistance in preparing for, or responding to, a cyber incident.

Is anti-competitive behavior insurable?

The August 2016 first-of-its-kind judgment against South African Airways (SAA) in favour of Nationwide Airlines, for damages arising from conduct that was held to be an anti-competitive exclusionary act preventing Nationwide from entering into or expanding within the travel market, raises the interesting question whether the loss is insurable by the company and the directors.

SAA paid bonuses and gave free air tickets as incentives to travel agents to direct more flight bookings to it. The Competition Act enables a person to sue anyone found by the competition authorities to have engaged in prohibited anti-competitive conduct for damages.

The principle is that an insurer is not bound to indemnify deliberate unlawful behavior. This includes indirect intent.

The company sued would claim under its public liability policy. Standard policy wordings exclude fines, penalties, punitive, exemplary or vindictive damages but not all damages arising from unlawful conduct. Policies often cover negligence for instance. Every case will have to be looked at on its facts to see whether there was intentional unlawful activity.

In the competition setting, cartel behaviour is normally deliberate unlawful conduct. In the case like the SAA case the incentives may have been given in the bona fide belief after taking legal advice that they were lawful and insurers could be exposed if those are the facts. The competition authorities do not have to find a subjective intention so further evidence may be needed to consider the insurance claim.

Cover under a directors and officers (D&O) policy is for unlawful acts. The Companies Act prohibits a company, and its insurers, from indemnifying a director for wilful misconduct or wilful breach of trust and for carrying on business with gross negligence or with intent to defraud or for any fraudulent purpose. Once again it will be a question of fact whether the director or prescribed officer was guilty of the kind of conduct that is excluded as a deliberately dishonest or fraudulent act under the policy.

Under a liability policy the insured must be ‘legally liable to pay’ which could be when the final damages judgment of the high court comes out. The anticipated loss should of course be reported or disclosed earlier. Under the D&O policy it will usually be claims-made cover.

Is this a threat or an opportunity? Insurers should decide whether they want to create specific liability under their policies or to exclude liability under their policies to deal with claims relating to anti-competitive behavior. Many liability policies already have exclusions for liability arising from breach of the Competition Act.

Consultation Paper on introducing re-domiciliation provisions into the Singapore Companies Act issued by Ministry of Finance and Accounting and Regulatory Authority of Singapore

A Consultation Paper on the Introduction of an Inward Redomiciliation Regime was jointly issued by the Ministry of Finance (MOF) and the Accounting and Corporate Regulatory Authority of Singapore (ACRAS) on 26 October 2016.

The consultation proposes to introduce a new set of re-domiciliation provisions to the Singapore Companies Act (SCA) to allow foreign corporations to transfer their corporate registration to Singapore.

The authorities have made it clear that re-domiciliation will only be allowed for foreign entities where there are likely prospects for a positive commercial contribution to Singapore.

Furthermore, it is proposed that redomiciliation will only be available to foreign corporations that meet a minimum criteria, which is based on the existing criteria for the assessment of a small company under the SCA. This means that a foreign corporation will need to meet minimum requirements relating to a minimum of S$10 million in revenue and/or assets with more than 50 employees for the past two financial years.

By using this proposed re-domiciliation registration process, the foreign corporation will be able to retain its identity and history and minimise operational disruptions.

Such an inbound corporation that is re-domiciled to Singapore will become a Singaporean company and will be required to comply with the requirements under the SCA like any other Singapore company.

The public consultation will run until 16 November 2016. The proposed redomiciliation provisions will form part of a larger Companies (Amendment) Bill to be confirmed sometime in the next two years.

Cyber Risks in the spotlight

The Prudential Regulation Authority (PRA) has published a consultation paper on Cyber Insurance Underwriting Risk (CP39/16), proposing a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk.

For the purposes of the draft statement, cyber underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.

To assess these risks, the PRA carried out thematic work involving a variety of stakeholders from October 2015 to June 2016. The PRA’s work focused on the underwriting risks emanating from both affirmative cyber insurance policies as well as implicit cyber exposure within all-risks and other liability insurance policies that do not explicitly exclude cyber risk, referred to as ‘silent’ cyber risk.

The results of this work are summarized in an accompanying ‘Dear CEO’ letter, which highlights the following:

• Silent cyber risk is material. The PRA found an almost universal acknowledgement of the loss potential of silent cyber; however most firms did not demonstrate robust methods for quantifying and managing silent cyber risk.
• Silent cyber loss potential increases with time. As both silent cyber insurance awareness and the frequency of cyber-attacks grow, so does the loss potential from silent cyber exposures.
• Casualty (direct and facultative) lines potentially significantly exposed to silent cyber, either due to the fact that exclusions are not widely used or because some policies, e.g. D&O policies, cannot reasonably exclude cyber losses.
• Potential for silent losses in marine, aviation, transport and property lines. Motor and aviation underwriters are comfortable providing implicit cyber coverage despite a background of continuous technological advances. Property underwriters acknowledged the potential for cyber aggregation; despite that there are currently no widespread exclusions for cyber risk.
• The exposure and response of reinsurance contracts is uncertain. Reinsurers are aware of the potential aggregations resulting from silent cyber and are looking to address this in the future. Currently there is no widespread use of exclusion in either property or casualty reinsurance contracts. Where wordings do exist to address the issue, these are bespoke and introduced only recently and so may later result in disputes should a claim arise.
• Most firms lack clear strategies and risk appetites. Boards do not own the overall strategy around cyber risk and in a number of cases a clear strategy, supported by risk appetite statements, does not exist.
• Firm investment in developing cyber expertise is insufficient. This is due to a combination of firms being at the early stage of their cyber offering and the lack of supply of skilled professionals with cyber underwriting expertise.
• Affirmative cover risks are not well understood. Firms do not sufficiently understand the aggregation and tail potential of affirmative cyber cover. Moreover using past claims data to estimate future cyber losses may not be appropriate due to data being non-stationary.
• Risk management’s ability to challenge is limited. Risk management teams are not adequately equipped in terms of skill and expertise to provide effective challenge to the business. Input is often limited to either developing simple deterministic scenarios or reviewing and adapting widely publicized work on the topic.
• Third-party vendor models at early stages of development. Catastrophe modelling vendors have developed small sets of deterministic cyber scenarios to assist their clients in managing aggregation and data schemes have been developed for categorizing cyber exposures. Although these are helpful steps, the PRA considers that the market has much work to do before it can capture and manage cyber exposures effectively.
• EU Data Directive will increase affirmative cyber exposures. The implementation of the Data Protection Directive in 2018 will strengthen the European regulatory framework on personal data.

In light of the above, action is required across the non-life sector to mitigate the risks identified. In its consultation paper, the PRA sets out its expectations in relation to three main areas:

• The management of silent cyber risk. The PRA proposes that firms have the ability to monitor, manage and mitigate silent cyber risk effectively and aim to provide policyholders with greater contractual certainty as to their level and type of coverage.
• Setting clear appetites and strategies owned by boards. The PRA proposes that firms exposed to silent and affirmative cyber risk will have clear strategies and articulated risk appetites on the management of the associated risks. These should be owned by the board and reviewed on a regular basis.
• Investing in cyber expertise. Insufficient investment from firms is due to a combination of being at the early stages of development of their cyber offering and a lack of supply of skilled professionals with cyber underwriting expertise. The PRA proposes that firms have sufficient expertise to monitor and manage the risks emanating from cyber risk.

Written by Amy Teece, London

European Commission publishes results of Call for Evidence on EU financial services

The European Commission (the Commission) has published the results of a public ‘Call for Evidence’ which sought feedback on the cumulative effect of recent financial sector rules brought in since the financial crisis. The results of the Call for Evidence will be used to feed into the development of future legislative initiatives within the European Union. In this exercise the Commission has looked across all policy areas to see where existing measures are still fit for purpose and whether there is a need for improvement.

Since 2009 over 40 pieces of financial services legislation have been introduced with the aim of stabilizing markets and better protecting consumers.

Following a review of the evidence on how these reforms have worked so far, the Commission has concluded that overall there is no need to change the existing framework. However, some amendments are needed in the following areas:

• Removing unnecessary regulator constraints on financing the economy. The Commission believes that some results can be achieved in a more ‘growth-friendly’ manner so that banks and other entities can support economic growth. One such area is the prudential treatment of infrastructure and other long-term investment by insurance companies where results indicated that the risk framework laid down in the Solvency II Directive limits insurance companies’ ability to finance long-term investments.
• Enhancing the proportionality of rules without compromising prudential objectives. There is recognition that existing rules can be a significant burden on smaller institutions. The Commission therefore will look at ways to enhance the proportionality of rules without compromising prudential objectives including insurance and asset management. Amongst the rules cited as requiring simplification are the methods, assumptions and calculations of certain modules in the Solvency II standard formula.
• Reducing undue regulatory burdens. Reducing duplicative or excessive regulatory reporting requirements will be included in the review. The Commission will consider how reporting requirements might be reduced or consolidated or streamlined.
• Making rules more consistent and forward-looking. The results of the Call for evidence have revealed certain inconsistencies between individual rules in pieces of legislation which need to be addressed – the Commission communication mentions Solvency II in this context.

Next steps

The aspects of Solvency II that require revision will be addressed in the forthcoming review of the regime. Going forward, the Commission will monitor progress in the implementation of the respective policy commitments and will publish its findings and next steps before the end of 2017.