Australia Enacts Mandatory Breach Notification LawBut One Expert Contends Law Has Gaps that Could Pose Risks
Australia's Parliament has approved a bill requiring some organizations to notify regulators and consumers about a data breach within 30 days.
See Also: HIPAA Audits: A Revised Game Plan
The Senate approved Privacy Amendment (Notifiable Data Breaches) Bill 2016 on Feb. 13, which amends the Privacy Act 1988. The House passed it last week. The law will come into force within the next year, but no specific date has been set.
The law calls for fines up to AU$360,000 (US$276,000) for individuals and $1.8 million for organizations for failing to report a breach.
The law, under discussion for several years, brings Australia more in line with other countries and regions that have adopted mandatory breach notification schemes. But requirements in the amendment are less strict than in other places, meaning consumers will likely never hear about some breaches.
Although there is no federal breach reporting law in the U.S., most states require public disclosure of breaches. The European Union's General Data Protection Regulation, which comes into force in May 2018, gives authorities the power to impose noncompliance penalties of 20 million euro (US$21 million) or up to 4 percent of a company's global revenue, whichever is greater (see Mandatory Breach Notifications: Europe's Countdown Begins).
"The way I read it, it sounds like a very watered down version of what we'd like to have," Hunt says. "My interpretation is that there are going to be many data breaches that happen that don't need to be reported."
The law applies to companies and governmental organizations covered by the Privacy Act 1988. But it excludes companies with less than $3 million in annual revenue from the reporting requirement.
Hunt contends that the revenue of companies doesn't matter to consumers when it comes to their lost data. "If people have entrusted you with their data, they've trusted you with it, and you let them know," he says.
The law also gives companies 30 days to complete their assessment after suspecting a breach. An amendment failed that would have shortened the period to three days.
The month-long period was retained because legislators feared people might receive too many breach notifications, some of which may have been rushed through and been unnecessary after a more thorough review.
But Hunt contends that speed is of essence with breach notification. It's not unreasonable for any organization to send out emails to their customer base within three days alerting them to a breach, Hunt says. "People are going to take this [stolen] data, and they are going to reuse credentials and break into accounts. And they're going to do that quickly."
Defining a Breach
The amendment steers clear of describing what kinds of data would trigger a reporting requirement. Instead, it defines eligible breaches as those a "reasonable person" could conclude could cause "serious harm."
It further describes considerations that can be taken into account when determining whether serious harm is possible. Those include the types of information breached and whether it is protected by "one or more security measures."
The law does not explicitly mention encryption. It begs the question, for example, of whether a company would report a breach of password hashes encrypted with the MD5 algorithm versus those scrambled with bcrypt.
But it does dictate that organizations should however consider "the likelihood that any of those security measures could be overcome," a judgment that may ultimately rest rely on the victim's technical knowledge.
It means organizations may have to make challenging judgments on whether the encryption used mitigates the risk enough to not merit a breach notice, says Michael Swinson, a partner in the Melbourne office of law firm of King & Wood Mallesons. "Companies will need to have a multidisciplinary team, including technical experts, involved when they are dealing with any data breach incident," he says.
Swinson says many companies are prepared for the changes because the legislation has been under consideration for so long. For example, many companies already have been voluntarily reporting data breaches, as has been encouraged by the OAIC.
Also, the public backlash and media attention that often comes after data is lost or stolen has incentivized companies to pay close attention to information security, he says.
But companies will need to think about their relationships with outsourcers or service providers and agree on protocols about which entity will handle managing the notification, Swinson says. The bill requires only one notice regardless of how many entities handled the data.
"This is likely to be a key issue for companies who will want to control the message given to both the commissioner and their customers about the background to the breach," he says. "I expect that data breach notification provisions are going to be an increasingly important, and closely negotiated, feature of outsourcing contracts now that this legislation has been passed."
With more breach notifications, class-action suits are also a possibility. Swinson says he doesn't expect a flood of lawsuits because Australia is less litigious than the U.S., but there "might be some testing of the waters."