Discussion Paper. Australian Privacy Breach Notification. Commonwealth of Australia. October 2012

Transcription

1 Discussion Paper Australian Privacy Breach Notification Commonwealth of Australia Attorney- October 2012

2 ISBN Commonwealth of Australia 2012 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence ( For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence ( Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour website ( Contact us Enquiries regarding the licence and any use of this document are welcome at: Business and Information Law Branch Attorney- 4 National Circuit BARTON ACT 2600 Telephone: copyright@ag.gov.au

3 Foreword by the Australian Attorney- General The Australian Government is committed to ensuring that our privacy laws continue to protect the personal information of Australians in the digital era. Rapid advances in technology have changed the way we work, bank and shop, the way people engage with government, never even met. We are providing more personal information that ever before to government agencies and companies, both in Australia and overseas and this information is susceptible to hackers and other types of security breaches. It is therefore timely to consider whether our existing privacy framework is adequate in encouraging entities to take the right steps in the event of a data breach, and in allowing individuals to mitigate the adverse effects of such a breach. In May 2008, the Australian Law Reform Commission (ARLC) concluded a 28- month inquiry into the effectiveness of the Privacy Act 1988 and related laws as a framework for the protection of privacy in Australia. In its report, the ALRC made 295 recommendations for reform in a range of areas, including creating unified privacy principles, updating our credit reporting system, and strengthening the powers of the Privacy Commissioner. The Government has responded to the majority of their recommendations through the introduction of the Privacy Amendment (Enhancing Privacy Protection) Bill in Parliament in May other recommendations was that a mandatory data breach notification scheme be introduced. In responding to this recommendation, the threshold question that must be asked is whether the introduction of such a scheme is warranted. For example, it may be the case that the existing voluntary guidelines issued by the Office of the Australian Information Commissioner are working effectively enough. If there is to be a mandatory data breach notification scheme, how do we make sure it gets the balance right between the public interest in mitigating the adverse effects of data breaches while ensuring we do not create an overly burdensome compliance requirement on entities that make their business from collecting, storing and using personal information? The Australian Government has prepared this Discussion Paper for public consideration of these important questions. I encourage everyone with an interest to visit and provide views on this important issue. The Hon Nicola Roxon MP Attorney- General and Minister for Emergency Management

4 Discussion Paper Australian Privacy Breach Notification Contents Foreword by the Australian Attorney- General... ii Introduction... 2 Current position... 3 Factors in favour of the current position... 3 Rationale for mandatory data breach notification laws... 4 A. Mitigation of consequences of breach... 4 B. Deterrence/incentive to improve data security... 4 C. Tracking of incidents and provision of information in the public interest... 5 D. Maintaining community confidence in legislative privacy protections... 5 Data breach notification models and legislation... 5 ALRC recommendation Legislative and voluntary models in foreign and state jurisdictions... 7 Key questions for consultation / determination by Government (1) Should Australia introduce a mandatory data breach notification law? Questions: (2) Which breaches should be reported? Triggers for notification Questions: (3) Who should decide on whether to notify? Questions: (4) What should be reported (content and method of notification), and in what time frame? Questions: (5) What should be the penalty for failing to notify when required to do so? Questions: (6) Who should be subject to a mandatory data breach notification law? Questions: (7) Should there be an exception for law enforcement activities? Questions: Public consultation

5 Introduction Mandatory data breach notification refers to a legal requirement imposed upon particular entities to provide notice to affected persons and the relevant regulator where certain types of personal information are accessed, obtained, used, disclosed to, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (eg, a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise. In its report, For Your Information: Australian Privacy Law and Practice, the Australian Law Reform Commission ALRC) noted that, with advances in technology, entities were increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for identity theft and identity fraud 1. A notification requirement on entities that suffer data breaches would allow individuals whose personal information had been compromised by the breach to take remedial steps to lessen the adverse impact that might arise from the breach. Recently, there is anecdotal evidence that breaches of data security are increasing in frequency and scope. 2 Some recent US reports have found that up to 88 per cent of organisations surveyed have had at least one data breach during the course of a year 3. These reports also indicate that the cost of notification and rectification is also increasing, with a cost range of $174 to $268 per information record breached in the US, depending on how quickly a company responded to the data breach 4. In addition, the Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in the 2010/2011 financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent. The Privacy Commissioner also opened 59 investigations in to breaches of which there was no notification to the OAIC 5. Some of these breaches have occasioned significant publicity both here in Australia and internationally. Both government and private sector entities have recently suffered data breaches, at a national, state, and international level. For example, notable recent breaches have been suffered by Sony (2011), St George Bank (2010), Medicare Australia (2008), TJX Companies Inc (2007, 45.6 million credit and debit card numbers), and the UK Revenue and Customs (2007, 25 million records of child benefit claimants). The scale and impact of these data breaches in terms of both numbers of persons affected and flow- on economic and social harms caused have likewise been significant. Data breaches have caused considerable public concern. For example, a number of concerns were raised Cyber White Paper. 6 The ALRC recommended that the Privacy Act 1988 (Cth) (Privacy Act) be amended to require that such notification be given 7. otification would be provided to those whose privacy had been infringed where data breaches occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest. Failure to notify would attract a civil penalty. 1 ALRC Report 108: For Your Information: Australian Privacy Law and Practice (2008) at pp warned- to- be- ready.html 6 See cyberwhitepaper.dpmc.gov.au 7 Chapter 51, recommendation 51-1, For Your Information: Australian Privacy Law and Practice (2008). 2

6 The Government has responded to. Most of these will be implemented with the passage of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which includes the new Australian Privacy Principles, credit reporting reforms and creates powers and functions for the Australian Information Commissioner. on mandatory data breach notification report. This paper considers the policy questions and models by which the Government could respond to the recommendation. It considers implementation options and sketches next steps required should the Government decide to proceed to introduce a mandatory data breach notification scheme in Australia. Current position Under the Privacy Act, agencies and organisations are subject to requirements to provide adequate security protection to personal information in their possession 8. This will be reflected in proposed Australian Privacy Principle 11, which has been included in the Privacy Amendment (Enhancing Privacy Protection) Bill There is no requirement under the Privacy Act to notify the OAIC or any other individual in the event of a data breach. These data security requirements are aimed at encouraging entities to provide sufficiently high levels of security to minimise the possibility that personal information could become compromised. Under these provisions, an entity could suffer a data breach involving large amounts of personal information but not be in breach of their data security obligations 9. Therefore, the rationale underpinning a mandatory data breach notification requirement is based on separate objectives. These are addressed below under the heading Specific Commonwealth laws The Personally Controlled Electronic Health Records (PCEHR) system contains a mandatory data breach notification requirement regarding PCEHR information 10. Factors in favour of the current position There are a number of arguments in favour of retaining the existing position and not implementing mandatory data breach notification laws. These include: the additional costs of compliance for entities would be too onerous; there are sufficient commercial incentives for entities (eg reputation) to have high standards of data security and to voluntarily notify the OAIC where appropriate; the voluntary OAIC guidelines are operating effectively, and more entities are using them after voluntarily contacting the OAIC; many organisations do not have the capability of detecting whether data loss has occurred, and whether there has been a significant impact or harm caused by such data loss; 8 Information Privacy Principle 4 and National Privacy Principle 4. 9 into Sony PlayStation Network / Qriocity: 10 Section 75 of the Personally Controlled Electronic Health Records Act See at: 3

7 some organisations already voluntarily report certain categories of incident to law enforcement agencies and CERT Australia; the connection between data breaches and identity theft has been criticised as being overstated 11 ; and data breach disclosure laws have marginal effect on the incidences of identity thefts 12. Rationale for mandatory data breach notification laws There are essentially four broad goals sought to be achieved by requiring data breach notification. A. Mitigation of consequences of breach First, by providing advice to those who have had their privacy infringed, that person will have an opportunity This could be called the mitigation. 13 For example, to change passwords where those passwords have been hacked or to cancel credit cards if their details have been stolen. The ALRC considered this to be the primary goal to be achieved. However, such a rationale shifts the onus away from the organisation that has suffered the breach and onto a person who may be ill- equipped or unable to correct the consequences of the breach. been accidentally uploaded to the internet, it may not be possible to rectify the breach even if it has been subsequently taken down. B. Deterrence/incentive to improve data security Secondly, requiring notification may act as an incentive to the holders of personal information to adequately secure or dispose of that information. In other words, the adverse publicity occasioned by a notification may deter poor handling of such information, and increase the likelihood that adequate and reasonable measures are taken to secure it. deterrent. The ALRC viewed this as more of a secondary objective, although it has been part of the rationale for data breach notification laws in many other jurisdictions. With respect to agencies, this objective is consistent with guidelines issued by the Government under the Protective Security Policy Framework 14. These guidelines highlight the need for agencies to understand and address their responsibility to minimise the risk to the public when transacting online with the Australian Government. The failure by an agency to adequately notify the public of a data breach could place the public at risk. A mandatory data breach notification requirement would ensure all agencies take action to minimise the risk of harm to the public. 11 F Cate, M Abrams, P Bruening and O Swindle (Centre for Information Policy Leadership, 2009) at p 2. See at: 12 S Romanosky, R Telang, A Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft? (Social Science Research Network, 2008) at p 1. See at: 13 See further ALRC report (2008), para

8 C. Tracking of incidents and provision of information in the public interest A third goal would be to provide better information to government and the public on the scope and frequency of data breaches. This informational is essentially a correction of the market failure by which organisations have insufficient incentives to disclose incidents of data loss, even though such losses may cause harm to others. D. Maintaining community confidence in legislative privacy protections individuals is minimal, there is a chance individuals will feel deceived or disempowered in the absence of notification. Mandatory data breach notification may bolster public confidence that the Government is taking individual privacy rights seriously. Data breach notification models and legislation This section considers the range of data breach notification laws that have been proposed or legislated both here in Australia and in other jurisdictions. It commences with the recommendation of the ALRC in its 2008 report. The ALRC noted that data breach notification is a topical issue in privacy regulation around the world. It noted that IPPs and the NPPs in the Privacy Act do not impose an obligation on agencies and organisations to notify individuals whose personal information has been compromised, although there is an obligation to take reasonable steps to maintain the security of the personal information they hold. The ALRC considered the rationale for data breach notification laws in other countries and various models that have been implemented strong support for the introduction of a requirement that data users notify individuals of a breach to their personal information where that breach may give rise to real harm to an individual. As a consequence, the ALRC recommended that the Privacy Act should provide for notification by agencies and organisations to individuals affected by a data breach. ALRC recommendation 51-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows: (a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual. (b) with a unique identifier, such as a Medicare or account number. (c) In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account: (i) whether the personal information was encrypted adequately;; and (ii) whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or subject to further unauthorised disclosure). 5

9 (d) An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual. (e) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty. Commentators have made a number of points about this recommendation 15. First, it is arguable that para (a) is internally inconsistent or may raise confusion in that it bundles up notification to the Commissioner with notification to affected individuals. Secondly, c para (b)) may complicate the definitional aspects of the reform. Other jurisdictions have been far more specific about what combinations of information, when accessed by unauthorised persons, require data breach notification. Further, the civil penalty recommendation (para (e)) is duplicative with the broader civil penalty, undertakings and other enforcement provisions recommended by the ALRC (see, eg, rec 49-6 and ch 50) and which have been included in the Privacy Amendment (Enhancing Privacy Protection) Bill The 16 Data Breach Notification: A Guide to Handling Personal Information Security The OAIC currently has in place a voluntary guide for entities giving advice on how to handle a data breach. The Guide was developed in August 2008 and revised in late The Guide is cast at a fairly high level, and pivots upon: Existing Information Privacy Principle 4 and National Privacy Principle 4 (both concerned with data security); and certain language to be found in the recommendations of the ALRC (eg, possible triggers for notification). The Guide describes practical steps an organisation in the midst of handling a breach should take. Those include: breach containment; risk evaluation; possible notification (following an assessment of whether there is a real risk of serious harm); incident review; and prevention of recurrence. The Guide also includes useful definitions of data breach and tries to describe examples which illuminate the - 1). 15 Eg, See New South Wales Law Reform Commission Report 127 (2010) - Protecting Privacy in New South Wales: paras See NSWLRC, Report 127 (2010), Protecting Privacy in New South Wales, the NSWLRC meant that the more general enforcement and penalty provisions of the NSW Act would be a more flexible and appropriate means by which to ensure compliance with its proposed DBN rules; and, concomitantly, that no specific DBN penalties were required in the DBN part of the Act. See at: 6

10 Much is expres- by- case In these respects, similar guidelines exist or have previously existed in at least some European countries, Canada, NZ, the US and Ireland, though in some of those jurisdictions tighter, stronger codes or legislative provisions have also been proposed or enacted. The Guide does not, and indeed cannot: require notification; impose particular data breach notification penalties; legally define real risk of serious harm; or prescribe particular timeframes or modalities for the notification. One option for the development of a data breach notification law is that it be consistent with a formalisation. Even if a mandatory data breach notification law is introduced, the OAIC could still issue guidelines that outline steps that an entity should take to address aspects of the breach (eg remedial action). For example, once an organisation reports that it has experienced a data breach, it could be given assistance or advice about implementing remediation measures necessary to make it unlikely that the responsible parties do not use the same metholines could still play an important role in promoting safety and security of personal information. Legislative and voluntary models in foreign and state jurisdictions There have been a number of international developments where foreign jurisdictions have identified that there is a problem that needs to be addressed, and have implemented, or are considering, legislative options for addressing the problem. Some of these jurisdictions also have voluntary notification arrangements in place. These are discussed more in detail below. United States President Obama presented model legislation to Congress in May 2011, after significant media attention and pressure upon the Administration to simplify corporate compliance burdens caused by the proliferation of state legislation 17. It has the following features: obligations to notify are applied only to business entities; a trigger based on the number of individuals whose data has been acquired in a 12 month period by the entity (eg 10,000 per year) and applying to special combinations of information only (which are identifiable information requires notification without unreasonable delay, but no later than 60 days after the breach; has differential requirements for notification to the regulator vs to the public; that no reasonable risk of harm to individuals has eventuated; allows the regulator to use all its powers and functions to compel compliance; includes a special civil penalty provision (max US$1m) but specifically excludes any private causes of action; and 17 See fact sheet at: administration_cybersecurity_legislative_proposal.pdf 7

11 would operate to the exclusion of the 49 state and territory laws that are currently in place in the US. In February 2012, the Obama administration released a whitepaper, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy 18. The variations in existing state laws create significant compliance issues for companies. In June 2011, two Senators introduced draft legislation on data breach notification the Data Security and Breach Notification Act (S 1207) which was referred to the Senate Committee on Commerce, Science and Transportation. In addition to requiring notification in cases of breach, the bill contains an entitlement for affected consumers to two years worth of consumer credit reports or credit monitoring services. In July 2011, alternative legislation the Secure and Fortify Electronic (SAFE) Data Act (HR 2577) was referred to the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade. The bill also seeks to establish uniform national standards for data breach notification. It would impose a requirement that companies notify consumers of a breach within 48 hours of identifying the specific information affected, unless the breach would be unlikely to result in any harm. It would also give the US Federal Trade Commission the power to impose civil penalties for non- compliance, including jurisdiction over non- profit organisations for the purposes of the Act. Forty seven US states, several territories and the District of Columbia have enacted some form of data breach notification legislation, the most well- 19. These laws define data, breach, and notification in a multiplicity of different ways. Most of the state codes have particular timeframes and create penalties where notification is not met. They also include a variety of carve- outs and exemptions for different types of entities. European Union The EU has recently (through Directive 2009/136/EC) amended its Directive on privacy and electronic communications (Directive 2002/58/EC) to include data breach notification provisions. The new provisions will: apply only to electronic communications providers (ie. telecommunications firms: the Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks); require notification to the competent national authority (ie. the national regulator) in all cases, and to individual; mandate that the notification include a description of the breach, contact points, and measures that can be taken to correct it; additionally require that providers describe the consequences of the breach to the regulator, which adverse effects of require the Commission to consult on the best available technical and economic means of implementing the requirements of the directive; include an exemption if the data was encrypted; and require providers to maintain an inventory of data breaches and make it accessible to regulators. These provisions were required to be transposed into national legislation by the 27 Member States of the EU by May See at: final.pdf 19 For California see Cal. Civ. Code and ; For Massachusetts see Mass. Gen. Laws 93H- 1 et seq. 8

12 In June 2011, EU Justice Commissioner Viviane Reding announced her intention to propose mandatory data breach notification which would extend to all sectors, rather than only the telecommunications sector. The EC proposal was released in January 2012 and contains a requirement for companies and organisations to notify their relevant national authority of serious data breaches. Notification should occur within 24 hours if feasible, but otherwise as individual should also be notified, unless the data was rendered unintelligible by technological protection measures. The proposal also requires that EU rules apply if companies are active in the EU market and offer services to EU citizens but handle their personal data abroad. National data protection authorities will be given stronger powers to enforce EU data protection rules, including the imposition of fin United Kingdom In May 2011, the UK approved new regulations implementing the provisions of the EC directive noted above. where a telecommunications service provider fails to comply with the requirement to notify. It is not clear, and given the newness of the regulations does not appear to have been tested, whether or not the penalty applies per breach incident or per failure to notify an individual. 20 Ireland While no legislation presently exists in Ireland, on 7 July 2010, the Irish Data Protection Commissioner, Billy Hughes, approved a mandatory Personal Data Security Breach Code of Practice covering non- government organisations. Under the code of practice: organisations would be required to notify the Commissioner, but only where more than 100 nature; initial notification must be made within 48 hours of the organisation becoming aware of the breach; the Office of the Data Protection Commissioner can then request a more detailed report, which must include information about: a. the amount and nature of the personal data that has been compromised; b. what action is being taken to secure and / or recover the personal data that has been compromised; c. what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; d. what actions (if any) are being taken to limit damage or distress to those affected by the incident; e. a chronology of the events leading up to the disclosure; and f. what measures are being taken to prevent repetition of the incident. 20 See Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK) at 9

13 In July 2011, Ireland also implemented, through regulations, the provisions of the EC directive in relation to telecoms service providers. 21 Those regulations require providers to notify the ODPC of any breach, including information about any proposed measures to address the breach. The organisation is also required to notify any individual who may be adversely affected, unless the Office of the Data Protection Commissioner is satisfied that the data was sufficiently secured to make it unintelligible to third parties. Failure to comply with notification obligations can result in criminal prosecution, with fines up to 5,000, and on indictment, 250,000 per offence. New Zealand New Zealand does not have a mandatory reporting requirement. In February 2008, the New Zealand Privacy Commissioner published Key Steps for Agencies in Responding to Privacy Breaches and a Privacy Breach Checklist help agencies complete an analysis of the breach 22 Canada The Canadian Privacy Commissioner has also issued guidelines on data breach notification, which are similar to the Australian guidelines 23. In mid- 2010, Bill C29 was introduced by the Canadian Government which would amend the Personal Information Protection and Electronic Documents Act to create a data breach notification rule for the first time. The Canadian proposal requires: Organisations to report to the Privacy Commissioner on material breach of security safeguards o In determining whether a breach is material, businesses must consider the sensitivity of the information and whether the cause of the breach indicates a systemic issue. Notification to affected individuals if it is reasonable in the circumstances to believe that the breach real risk of significant harm o o includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property. Factors relevant to determining whether there is a real risk of significant harm include the sensitivity of the information and the probability of its misuse. s business card), is excluded. The Canadian Bill includes no penalty provisions, and at least the initial assessment of whether the trigger has been met is left in the hands of the entity. 21 See European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (Ireland) at breach- guidelines- 2/?highlight=data breach

14 Australian States and Territories Unlike in the US, no data breach notification laws presently exist in Australian states or territories. Various For example, the New South Wales Law Reform Commission supported the ALRC recommendation in principle but departed from it in relation to the type information that the provisions should apply to, and the penalty to be imposed (eg the NSWLRC did not support civil penalties). Key questions for consultation / determination by Government The Government introduced in Australia and, if such a law were introduced, how it should be framed. The threshold question is whether there should be a mandatory data breach notification scheme. In 2011, the Department of the Prime Minister and Cabinet released the Connecting with Confidence discussion paper, in preparation for development of its Cyber White Paper 24. The discussion paper included consideration of data breach notification, and requested views on how the reporting of data breaches could be improved and encouraged in Australia. Of the responses which considered mandatory data breach notification legislation, a majority supported its implementation. Key elements in the design of the scheme may include: the types of breaches that should be reported (including the types of data), to whom they should be reported, in what manner, the appropriate penalties that should be imposed, and the entities that should be subject to the scheme. This section identifies those issues, grouped into six decisions need to be made so as to inform any legislative amendment. (1) Should Australia introduce a mandatory data breach notification law? Questions: 1.1 Are the current voluntary data breach notification arrangements sufficient? 1.2 Should the Government introduce a mandatory data breach notification law? (2) Which breaches should be reported? Triggers for notification A key issue is which breaches should be reported and how the class of reportable breaches may be defined. This is sometimes described as t The challenge here is to ensure that remedial action can be taken quickly to mitigate actual and possible adverse effects of the breach, while ensuring that notification is only required in relation to appropriately serious breaches. There may be breaches or losses of data that are minor, unnoticed, or unimportant to some persons whose privacy may have been impacted. It may not be desirable for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation. However, especially where there are a large number of persons affected, the breach may affect people in different ways. In some cases, the harms may be concentrated in particular populations or types of persons. If, for example, those with serious or sensitive medical conditions may be a small subset of the whole population, but each of them may suffer great harm due to the breach paper 11

15 Organisations may not often be in a good position to determine harm caused by a breach. Harm will depend and many other factors. The notion of harm may not be an appropriate trigger element because it raises the risk that organisations will always assess a breach as not raising any harm unless it involves something such as a credit card breach. In that example, the monetary harm would be to the bank (with potential short- term inconvenience for the individuals affected), so International jurisdictions have tended to take two broad approaches to this question: on the one hand (i), a cover- all test has been used or, on the other (ii), triggers have been spelt out specifically. (i) The ALRC recommended a catch alltest be used to determine the trigger point. The following catch all tests could be considered consistently with the ALRC approach but varying in degree. They are ordered here from most demanding to most broad: a. a real risk of serious harm (the ALRC test, adopted also in the OAIC Guide); b. a real risk of significant harm (the proposed Canadian test for notification to individuals); c. a risk of harm; d. a material breach of data security safeguards (the proposed Canadian test for notification to the regulator); e. dual (the UK f. disclosure has test); g. disclosure to unauthorised persons has occurred or is reasonably suspected to have occurred (see eg Privacy (Data Security Breach Notification) Amendment Bill 2007 Private Members Bill of Senator Stott- Despoja)); or h. risk of unauthorised disclosure (the Ireland Code of Practice requires consideration of notification at this point). (ii) If, on the other hand, the triggers for notification were described more exhaustively, some of the following options may be attractive. Notification could, for example, be required where: a. more than 1000 records, have been breached - person- plus materiality test); and/or b. the entity has acquired more than say 10,000 records in the past year (see, eg, US proposal); and/or c. sensitive information has been breached., option (i) above, is that it would not require detailed permutations or combinations of personal information to be expressly included (see, eg, laws in most US states and in the Obama proposal). This is because it would not be the type of information that triggered the notice requirement but rather the harm. Certain exemptions would not need to be so exhaustively spelt out, which would simplify drafting, but would likely mean a greater level of guidance was required from the OAIC. 12

16 Questions: 2.1 What should be the appropriate test to determine the trigger for notification? What specific elements should be included in the notification trigger? (3) Who should decide on whether to notify? Notification could be provided to: a. the Commissioner; or b. affected persons; or c. the Commissioner and affected persons (either sequentially or simultaneously). Information could also be provided to: d. those who can help correct or investigate the breach (eg, the police, financial institutions, CERT Australia etc). 25 If information is also to be provided to these bodies, timeliness is again a major factor to consider. There exists a significant challenge in determining who should be responsible for deciding whether or not notification to affected persons is required. Options include: a. the organisation/agency; or b. the Commissioner (ie, the Commissioner may direct notification); or c. the organisation/agency in consultation with the Commissioner. It would be impractical to require the Commissioner to determine whether or not notification is required in every case reported to him or her due to resource constraints and timing issues, and because the Commissioner may not be as well placed as the organisation to consider the ramifications of the breach. On the other hand, allowing organisations themselves to decide alone may present issues as to conflicts of interest or lack of understanding of the relevant law. The subsidiary question of whether the Commissioner should have, or already has sufficient, power to compel notification arises depending on the regulatory model that is pursued. The ALRC did not reach a clear conclusion on this issue, making the entity the primary decision- maker while suggesting that notice of the most serious breaches should always be provided to the Commissioner, and encouraging early notice to and consultation with the Commissioner in marginal cases. Questions: 3.1 Who should be notified about the breach? 3.2 Which of the below should decide whether to notify? (i) the organisation or agency; 25 See, Personal Data Security Breach Code of Practice, para 3. See at: _Data_Security_Breach_Code_of_Practice/1082.htm 13

17 (ii) the Commissioner; or (iii) the organisation/agency in consultation with the Commissioner. (4) What should be reported (content and method of notification), and in what time frame? Form/medium The form or medium in which the data breach notification should be provided (eg, by , or by phone, etc) is a question most jurisdictions resolve by simply requiring notice that is: a. appropriate, or b. in the form in which the organisation usually communicates with the affected person (eg, in writing). The notification would be provided by the entity who normally communicates with or has the pre- existing relationship with the person. complex tests), general rules of the type above provide more flexibility to organisations to be able to quickly notify affected individuals. Advice from the OAIC may provide some guidance on this question. Timing Timely notification is important, especially if the primary objective is to allow affected persons a real and timely opportunity to take corrective action (eg, resetting security measures such as changing passwords before harm occurs). Allowing organisations a significant amount of time to report the breach is highly likely to lead to stolen data being misused by criminals (eg stolen credit cards). It is also the experience of CERT Australia that many organisations do not know they have lost data until advised by CERT Australia. CERT Australia has an active work program which identifies caches of compromised data taken from organisations, and returns it to the business owner for appropriate action (e.g. compromised passwords for secure login or credit card credentials). It can be assumed that those who compromise data take copies of the information. Unless an organisation has a very good understanding about cyber security and processes to identify breaches, and the hacker is very inexperienced, organisations often will not know that any information has been removed and will not be in a position to report it. Various jurisdictions have resolved this question differently. Options include: a. before a particular deadline (eg, no later than 60 days from becoming aware of the breach: as for ); b. as soon as possible once the entity becomes aware of the breach (eg, Irish Code of Practice); c. immediately following an initial investigation by the entity that suffers the breach; d. the proposed US law and the Californian law); or e. as soon as Canadian proposed law: Bill C29) practicable in the. 14

18 There is some evidence that the faster an organisation decides to react and respond, the higher the cost of the response. 26 Content of a notice The content required to be provided in the notification is often, in jurisdictions which have legislated on this issue, listed out in some detail. Generally, it would include: a description of the breach; a listing of the types of information lost; contact details or suggestions for follow up; and Some specificity must be provided if a penalty may be applied for non- compliance. However, given the high- level principles- based nature of privacy regulation, which aims to provide flexibility to agencies and organisation in interpreting their obligations based on their own functions and activities, it may be argued that creating another privacy obligation with such specificity could be counterproductive. Questions: 4.1 What should be the form or medium in which the data breach notification is provided? 4.2 Should there be a set time limit for notification or a test based on notifying as soon as is practicable or reasonable? 4.3 What should be the content of the notification? (5) What should be the penalty for failing to notify when required to do so? Finally, and importantly to many stakeholders, the Act must provide for an enforcement and compliance mechanism to encourage entities to comply with their obligations to notify. It is important to note that the penalty would be to encourage the notification, not to penalise the organisation for the breach itself (or for the insufficiency of its data security measures). The Privacy Act already has remedies to address that type of activity. For example, an individual can make a complaint about, or the Commissioner could investigate, an agency or organisation where it has failed to implement adequate security standards to protect the personal information of that individual. While the ALRC suggested a civil penalty should apply, it did not discuss specific elements of a proposed penalty. If a penalty scheme is introduced to underpin the notification requirement, the Government will need to consider: a. the type of penalty (eg civil penalties, administrative penalties, name/shame); b. the elements of the offence (eg, would it include intention, recklessness, etc); c. the maximum quantum of any civil penalty; and d. whether other regulatory responses such as seeking to conciliate before imposing a penalty should be spelt out in this section or left to the more general Parts of the Act

19 The US proposal includes a penalty of US$1000 per day per lost record up to a maximum of US$1m per breach, and the UK regulations while other regimes are less specific as to quantum. If civil penalties are to apply, one option would be to set the maximum civil penalties by reference to similar provisions agreed by the Government for the credit reporting provisions: ie, at 200, 500, 1000 or 2000 penalty units, varying depending on the level of intent and so on associated with the failure to notify. Other options could include criminal penalties, administrative penalties and the capacity to name and shame entities that fail to meet their obligations. The penalties available and the circumstances in which they could be applied would need to be detailed in the legislation (either in the data breach notification Part or in the broader compliance provisions or in some combination of both) to provide liable entities with sufficient clarity and protection from arbitrary exercise of power. The appropriate penalty would also need to be weighed up against other sanctions that might arise out of the same event (eg imposed for a breach of the data security requirements under the Privacy Act). An entity may also be obliged (eg by way of a Commissioner determination under the Privacy Act) to take other remedial measures to lessen the impact of the breach on the privacy of individuals. Questions: 5.1 Should there be a penalty or sanction for failing to comply with a legislative requirement to notify? 5.2 If so, what should be the penalty or sanction, and the appropriate level of that penalty or sanction? (6) Who should be subject to a mandatory data breach notification law? all entities currently regulated by the Privacy Act. That is, Commonwealth Government agencies and large privacy sector organisations. regulation applying to the private and public sectors. Internationally, there are different approaches to this question. Under the President Obama proposal presented to Congress in May 2011, obligations to notify would apply only to business entities. Under the existing EU directive on privacy and electronic communications, the mandatory data breach requirements apply only to electronic communications providers. However, the proposed EU would extend it to all of the private, rather than only the telecommunications sector. Some European countries extend their data breach notification requirements to the public sector (eg Austria and Germany) 27. Questions: 6.1 Who should be subject to a mandatory data breach notification law? 6.2 Should the scope of a mandatory data breach notification law be the same as the existing scope of the Privacy Act? (7) Should there be an exception for law enforcement activities? In some cases, notification of a data breach by an agency could compromise its law enforcement activities. ALRC Recommendation 51(1) provides that individuals should not be notified of data breaches if notification is contrary to the public interest or the interest of the affected individual. Arguably, such a broad public interest 27 See at

20 test would obviate the need for more a more specific law enforcement exemption. Moreover, a public interest test would encourage the public interest in favour of disclosure to be taken into account when considering whether to apply an exception to mandatory notification. On the other hand, a law enforcement exception would provide clarity and thus reduce compliance burdens for law enforcement agencies. Questions: 7.1 Should there be an exception for law enforcement activities? c interest exception? Public consultation Submissions on the issues raised in this paper are sought by 30 November Discussion questions in this paper are intended as a guide. Respondents are also welcome to make more general comments on the issues. Unless submissions are marked confidential they may be published. Submissions will be treated as non- confidential unless the respondent specifically requests otherwise. disclaimers will not be considered sufficient. Submitters of material marked as confidential must do so on the understanding that submissions may be released where authorised or required by law or for the purpose of parliamentary processes. The department will strive to consult submitters of confidential information before that information is provided to another body or agency. The department cannot guarantee the confidentiality of information released through these or other legal means. The department will treat the personal information you provide in accordance with its privacy statement (see Enquiries about this paper may be directed by to Privacy.Consultation@ag.gov.au Submissions can be lodged in the following ways: Privacy.Consultation@ag.gov.au Please only attach files in a standard document format or a standard image format. Post: Mr Richard Glenn Assistant Secretary Business and Information Law Branch Attorney- 4 National Circuit BARTON ACT