Changing legal landscape for Data Breach Notification in Australia

With the rise of cyber security incidents and increased concern about ransomware, additional data breach notification obligations impacting Australian organisations look certain to come into play. Although with the upcoming election it’s not clear when.

This blog posts looks at:

• The mandatory data breach notification scheme in the Privacy Act;
• Introduction of mandatory reporting of ransomware incidents under the Ransomware Action Plan; and
• Reporting of cyber incidents by critical infrastructure providers.

Mandatory data breach notification scheme Privacy Act

Australia’s mandatory data breach notification scheme has been operating as part of the Privacy Act since 2017.

Feedback on the MDBN scheme and whether it was operating effectively, was sought as part of the current review of the Privacy Act. According to the Attorney General’s department, the feedback about the impact of the NDB scheme in achieving its policy objective was largely positive.[1]

However, some submissions said the scheme would be more effective with additional OAIC guidance and education,[2] and with certain reforms, including:

• harmonising domestic and international frameworks (like the data breach notification regime in the GDPR);
• assigning responsibility for notifying where there are multi-party breaches (e.g. where a service provider is breached but the breach also affects customer information – the service provider and customers all potentially have notification obligations);
• ensuring timely assessment and notification;
• revisiting the serious harm threshold (with some suggesting it is too low); and
• addressing the impact of breaches on individuals and mitigating harm.[3]

In response to these submissions, the Discussion Paper suggested that:

• It was better for individuals to be over-notified than not notified, in response to the lack of clarity around notification obligations for multi-party breaches;
• Rather than impose a stricter time limit for notification, this might be an opportunity for the imposition of penalties under the new proposed civil penalty regime, which would give the OAIC the ability to levy penalties without the requirement that the breach be serious or repeated;
• The current threshold was probably about right to prevent notification fatigue and APP 11 already acts to ensure that separate the reasonable security safeguards should be in place.

However, the review is open to further submission on harmonising domestic and international frameworks asking in the Discussion Pape 2021 for submissions on:

• In what specific ways could harmonisation with other domestic or international data scheme notifications be achieved?
• What aspects of other data breach notification schemes might be beneficial to incorporate into the NDB scheme?[4]

In relation to concerns around addressing impacts and mitigating harm, it is proposed that the MDBN Scheme will be amended to require that notifications must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.

State data breach notification laws

There are moves to introduce data breach notification at a State level, which would impact state government agencies.

For example, although data breach notification is still voluntary in NSW, it is encouraged by the IPC (read more here). A bill amending the Privacy and Personal Information Act was introduced in 2021 which would require NSW government agencies to notify of ‘eligible data breaches’ under a scheme similar to that in the federal Privacy Act.

Similarly the Privacy and Data Protection Act in Victoria encourages but does not require mandatory reporting of data breaches (read more here).

Harmonisation between Commonwealth and State reporting laws is one of the issues still under consideration as part of the the Commonwealth Privacy Act review.

Mandatory cyber incident reporting – Critical Infrastructure and Ransomware Notifications (SLACI 2021)

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI 2021) introduced new mandatory cyber incident reporting, in addition to other increased security obligations for an expanded critical infrastructure sector.  This Act requires reporting to the Australian Cyber Security Center (ACSC) – a different regulator to the OAIC which is responsible for data breaches involving personal data.

Various provisions of the Act, including the cyber incident reporting obligations, only become operable when enabling rules are passed. As at February 2022, there were draft rules relating to the mandatory reporting requirement. These draft rules outline that companies operating within the 9 of the 11 sectors deemed critical infrastructure must report a cyber incident within:

• 12 hours if the incident is having a significant impact on the availability of the asset, and if the report is made verbally, in writing within 84 hours of verbally notifying the ACSC or,
• 72 hours if the incident is having a relevant impact on the availability, integrity, reliability or confidentiality of the asset, and if the report is made verbally, in writing within 48 hours of verbally notifying the ACSC. (See more here)

Failing to comply with this requirement can attract fines up to $55,000.

We covered SLACI 2021 in a previous post, including potential reporting obligations. Read more here and here.

Mandatory ransomware incident reporting – Ransomware Action Plan Bill

On 17 February 2022, the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Bill) was introduced into the House of Representatives. This Bill will implement key aspects of the Ransomware Action Plan, introducing a range of new criminal offences including:

• standalone cyber extortion offence, which will criminalise the extortive conduct associated with ransomware: specifically, the conduct of a person making a threat with the intention of compelling another person to do or omit to do an act;
• an aggravated offence relating to cyber attacks on critical infrastructure assets as defined under the Security of Critical Infrastructure Act 2018 (SOCI Act);
• a standalone offence of dealing with data obtained by unauthorised access or modification; and
• an aggravated offence criminalising producing, supplying or obtaining data under arrangement for payment.

There are also extra-territorial provisions which means that Australian law enforcement can pursue cybercriminals for crimes that impact a person in Australia.  Importantly, the Bill does not criminalise or prevent the payment of ransomware.

Mandatory Ransomware Reporting Scheme

Nor does the Bill include the mandatory reporting obligations foreshadowed in the Ransomware Action Plan.

However, according to some sources, some aspects of the intended ransomware reporting regime are being clearer. It is understood that the key components of the reporting regime are as follows:

• reporting obligations will apply to businesses with a turnover of more than $10 million per annum;
• reporting obligations will mirror those under the SLACI Act which require a business to notify the Australian Cyber Security Centre within:
  • 12 hours of becoming aware of a ransomware incident that is having a “significant impact” on its business; or
  • 72 hours of becoming aware of a ransomware incident that is having a “relevant impact” on its business.
• Following notification of a ransomware incident, a business will then be required to produce a follow up report of the “material details” of the ransomware incident, including details such as the impact of the incident and payment details.[5]

Lapsing of Bill

With the announcement of an election, this Bill has now lapsed lapse and will need to be re-introduced into the next Parliament. The fate of the Bill will no doubt depend on the outcome of the 21 May 2022 election.

Conclusion

So, what does this all mean for Australian organisations?

In terms of timing, there are unlikely to be any changes in the near term, probably not this year, other than those already impacting critical infrastructure providers.

Longer term, there are unlikely to be any substantial changes to the MDBN Scheme in the Privacy Act, as part of the current review process, although the Commissioner may receive additional powers to issue penalties for non-compliance with the notification requirements.  The absence of state government agency mandatory data breach reporting obligations is still probably the biggest weaknesses in the reporting scheme.  Given the recent poor track record of federal and state governments working together in a collaborative way, it seems unlikely that an agreement on harmonised data breach notification laws will be reached any time soon.

And it remains to be seen if mandatory reporting of ransomware incidents will be introduced after the election. A new government is less likely to adopt legislation introduced by the former government, although action on ransomware is part of Labor’s policy.  See our post on Labor’s Tim Watts’ private member’s bill – Ransomware Payments Bill 2021 – here.

For more advice on what you can do about ransomware, see our previous post: Ransomware: What can you do?

[1] Discussion Paper, 198.

[2] Submissions to the Issues Paper: Clubs Australia, 5; Karen Meohas, 13; Privcore, 4; KPMG, 17; Cyber Security Cooperative Research Centre, 15; Communications Alliance, 13.

[3] Privacy Act Discussion Paper 2012, 198.

[4] Privacy Act Discussion Paper 2021, 203.

[5] https://www.kwm.com/au/en/insights/latest-thinking/parliament-considers-ransomware-plan-details.html