AusCERT 2017 - Preparing for Australia’s Mandatory Breach Notification Law

On 22 February 2018, new laws mandating businesses to report the leak of personal identifiable information (PII) to the Office of the Australian Information Commissioner (OAIC) come into effect. During this year’s AusCERT conference Ben Di Marco and Matthew Pokarier walked through this new law and what it means for businesses.

The new law isn’t something completely new. Pokarier said it is an addition to existing privacy provisions. The big difference is that the new law is much broader. Old rules applied to the health sector but the new rules will capture most Australian organisations. This includes Australian Privacy Principle entities, credit providers, credit reporting bodies, and tax file number recipient.

Personal information is information or opinion about an identified individual or someone who is reasonably identifiable.

Pokarier said the new rules matter as it is widely suspected that there have been many unreported breaches. The focus of the new rules is to protect individuals who are affected by a breach and to increase awareness of data security problems and the consequential risks.

The new laws cover three basic concepts. They apply to a wide range of breaches such as the loss of physical computers, intrusions by unauthorised parties and accidental exposures caused by errors or negligence.

An eligible data breach, said Pokarier, includes unauthorised access or disclosure of personal data that could cause harm to an individual. The assessment of harm involves the type of data, whether it was protected, who accessed the data, whether a third party could use the information to circumvent security technology, or other harm not specifically anticipated in the law.

Early drafts of the legislation required notification even if companies believed they had been breached. But this has been altered in the signed-off legislation to only include disclosure of an "identifiable data breach" which will this result in serious harm for an individual.

The third key concept Pokarier identified was that breached entities must notify the OIAC and affected individuals. That means businesses need to ensure they have processes and systems in place for the communications.

It is important to note that there are no penalties for reporting a breach unless the affected entity has been negligent or is a repeat offender who fails to remediate systems. If the OIAC determines that a penalty needs to be paid, these can be as high as 4340K for individuals and $1.8M for corporations.

It is worth noting that it may not be necessary to notify the OAIC if the breach is remediated and serious harm is avoided or if you get an exemption/extension from OAIC. However, Pokarier was doubtful anyone would be willing to test the “no harm” provisions.

Pokarier said he expects the OIAC to be “gentle” at first, but will get firmer once scheme has been in place for some time and businesses have had time to remedy potential issues

Several other laws and rules are already in place around the protection of PII. For example, Pokarier noted that APP 11.1 says businesses must take reasonable steps to protect PII and that the obligations apply even if data is offshore (APP 8.1). Importantly, and often forgotten by businesses, APP 6.1 says businesses can only use data for intended purpose and data is to be destroyed when it is no longer needed.

Pokarier’s colleague(Ben Di Marco, says the healthcare and retail/hospitality sectors are the big targets for data theft. And while financial and professional services were also targeted, less data was lost from those organisations according to data he presented.

The costs of data loss are mainly legal he says although the costs on healthcare for notification are very high. This highlights the need to have notification systems in place before an incident so they can be tested and the acquisition of a notification system is not done during the heat of an incident.