Govt's data breach bill will unleash confusion, says expert
Australian organisations will struggle to comply with the Federal Government’s mandatory data breach notification proposals, according to consulting firm Protivity.
The company says unless detailed guidance is developed and consultation processes with the Privacy Commissioner are introduced to businesses determine whether they have a notification obligation, there will be compliance confusion.
In its submission to the Federal Government’s consultation on the draft Bill requiring organisations to notify affected individuals and the Privacy Commissioner where they have been hit by a serious data security breach, Protiviti observed that unlike the European Union and United States, where an entity’s notification obligations are clearly defined, Australia’s draft legislation introduces sketchier concepts that could require organisations to make subjective judgement calls.
Specifically, Protivity says the draft Bill requires entities to decide whether there are ‘reasonable grounds’ to believe a ‘serious data breach’ has occurred resulting in a ‘real risk of serious harm’ to affected individuals, before their notification obligation is triggered.
According to Ewen Ferguson, managing director at Protiviti, it will often be difficult for entities to judge whether all these thresholds are met.
“After all, there’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large scale malicious theft of credit card details,” says Ferguson.
“There will always be a multitude of factors at play and the outcome will not always be straightforward,” he says.
“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach,” Ferguson explains.
Ferguson says that because the draft laws establish a ‘self-assessment’ regime, whenever the facts are ‘borderline’ or where a case for non-disclosure is at least arguable, it is more than likely that organisations will decide not to notify to avoid the reputational impact of public scrutiny.
“The danger of a regime that encourages entities to ‘err on the side of non-disclosure’ is that it may not adequately protect the individuals affected by data breaches, as potentially ‘serious’ breaches may go unreported,” he explains.
Ferguson says this concern be addressed in two ways.
“Firstly, to help organisations to accurately ‘self-assess’ their notification obligations, it’s essential that the Commissioner issue detailed criteria and case-study style guidance on how these concepts might operate in practice,” he says.
“Secondly, there must be an avenue for entities to approach the Commissioner’s office for prompt, in-confidence advice on whether their notification obligations apply in cases where the outcome is unclear.
“This may be established as an administrative process by the Commissioner’s Office or formally in legislation similar to the way federal tax laws allow taxpayers to apply to the Australian Taxation Office for a binding ‘ruling’ on how the tax law applies to their circumstances,” says Ferguson.
“In any event, the process must be an expedited one where the Commissioner commits to making a prompt determination,” he continues.
“Time is critical where data breaches are concerned and the process should not unduly prejudice an individual’s ability to take swift action to protect their interests where their data has been compromised,” Ferguson adds.
In its submission, Protiviti also expressed concerns that the proposed breach notification scheme may not encourage significant numbers of organisations to improve their data security in view of the light penalties for non-compliance.
“Despite the increasing incidence of cyber-attacks and existing fines of up to $1.7 million for breaches of the Privacy Act, many entities still do not have adequate controls to prevent or detect data breaches”, Ferguson explains.
“The cost for medium and large companies to upgrade information security practices to the standard required to identify a breach or reduce the likelihood of one occurring, could outweigh the maximum penalty of $1.7 million proposed by the breach notification laws,” he says.
“This may predispose some companies to run the risk of incurring a data breach because the quantifiable penalties are relatively insignificant.
“Many companies continue to step up their data security for ethical and reputational reasons anyway, irrespective of the penalty, because it is the ‘right thing to do’.
“However, for the few who don’t, a stiff penalty may well be the only effective wake-up call,” Ferguson says.
"If one of the key objectives of the proposed data notification laws is to encourage entities to take greater preventative measures to secure personal data, then the penalties for non-compliance under both the current Privacy Act and the proposed breach notification Bill, must be raised to a level that makes the cost of taking preventative action worthwhile, for the minority of companies that won’t choose to do the right thing,” he explains.
Examples of indicative benchmarks from other jurisdictions include the European Union’s new General Data Protection Regulation which imposes a fine of up to 4% of global annual turnover, while Californian law permits affected parties to take civil action including class actions.