Data Breach Reporting Obligations in Australia: Lessons from Recent Determinations

We’ve analysed two determinations from the Australian Information Commissioner relating to data breach reporting and teased out some important key takeaways for Australian businesses. 

A Brief Background To The Determinations

But first, some background: 

Pacific Lutheran College

The first determination we analysed related to a breach at the Pacific Lutheran College (PLC), an independent private school in Queensland. 

PLC experienced a data breach when an employee’s email account was compromised on 28 May 2020. During the unauthorised access, the cybercriminal sent 8,332 phishing emails and also had access to the personal information contained in that email account. The compromised information included birth certificates, tax file numbers, Medicare card details, dates of birth, medical information, addresses, Centrelink customer reference numbers, and information regarding parents/guardians, students, and staff.

Key Issues

Some of the key issues identified by the OAIC in its decision include: 

• Slow Response and Inadequate Assessment: The college’s response to the incident was delayed, and its initial assessment of the breach was inadequate. They did not promptly identify the specific personal information compromised or the potential risk of harm to affected individuals.
• Delayed Notification: There was a significant delay between PLC becoming aware of the incident (29 May 2020) and notifying the OAIC (on 15 December 2020) and affected individuals (from 15 December 2020 onwards). This delay hindered individuals’ ability to take steps to protect themselves.
• Poor Password Hygiene: PLC’s password hygiene was put under the microscope and found to be lacking. The school reasoned that it needed to have lower security standards for its young children, since primary school aged kids aren’t likely to remember long complex passwords. In response, the determination notes: “It may be reasonable that young students use less complicated passwords, but it is not reasonable to apply this as a ‘one size fits all’ solution, particularly in circumstances where staff collected higher risk personal information through their email accounts than students. Accordingly, I do not consider the respondent had adequate password security in place to protect the information it collected from misuse, interference and loss, and from unauthorised access, modification or disclosure.”

The OAIC’s Determination:

The OAIC determined that Pacific Lutheran College had breached the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. This was due to their delayed response, delayed notification, and inadequate security practices.

Datateks Pty Ltd

Datateks Pty Ltd, a company involved in building, operating, and maintaining communications networks and infrastructure services, suffered a cyber attack where three email accounts were compromised. The attackers used these accounts, including a general inbox, to launch a phishing campaign. Unfortunately, it was customary for Datateks to hold personal information in email accounts, including dates of birth, credit card information, bank account details, superannuation information, driver’s licences, birth certificates, working with children checks, Medicare card information and tax file numbers.

Key Issues

Some of the key issues identified by the OAIC in this matter were:

• Delayed Response: Datateks experienced significant delays in its response to the breach, and those delays were not reasonable. For instance, it took Datateks 27 days to engage a forensic cybersecurity expert after it first noticed the unauthorised access on 26 June 2020. Australia’s privacy law requires that organisations take all reasonable steps to complete the assessment of an eligible data breach within 30 days. 
• Delayed Notification: It took Datateks 87 days to notify the OAIC after it became aware that the breach was an eligible data breach. This is not a ‘prompt’ notification. 

The OAIC’s Determination:

The OAIC determined that Datateks had not complied with the requirements of the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. This was due to the delays in its initial investigation and the notification to the OAIC.

Key Lessons For Australian Organisations

Know When To Report An ‘Eligible Data Breach’

In each instance above, the organisation delayed notifying the OAIC because it was uncertain whether an eligible data breach had occurred. 

In situations like the above (or in any instance of unauthorised disclosure), organisations need to report a breach if both of the following apply: 

• There is unauthorised access to, or unauthorised disclosure of, the information;
• A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

Here’s what that often looks like in practice:

Step One: Containment and Preliminary Assessment

• Take steps to contain the incident and prevent further unauthorised access or disclosure of personal information.
• Conduct a preliminary assessment to determine the nature and scope of the breach, including identifying the types of personal information potentially involved, the potential number of individuals affected, and the possible ways the information was accessed or disclosed.

Step Two: Assessment of Risk of Serious Harm

Next, you will need to undertake a risk assessment to determine whether the breach is likely to result in serious harm to individuals. You should consider the following factors: the sensitivity of the personal information, the potential consequences, the number of affected individuals, and any security measures that may mitigate the risk (such as encryption).

Step Three: Is it an ‘Eligible Data Breach’?

Based on the risk assessment, determine whether the breach meets the criteria for an eligible data breach. Recall that a breach is eligible if it involves unauthorised access or disclosure of personal information, may result in serious harm, and the entity cannot prevent the likely harm with remedial action.

If the breach is not eligible, document the assessment and the reasons for the determination.

Step Four: Notify The OAIC

If the breach is eligible, you must promptly notify the OAIC. “Promptly” means as soon as practicable after you have concluded there are reasonable grounds to believe an eligible data breach has occurred.

Use the OAIC’s online Notifiable Data Breaches form to provide details of the breach, including:

• The nature of the breach
• The types of personal information involved
• The estimated number of individuals affected
• The steps you have taken to mitigate the harm
• Your contact details for further communication.

Step 5: Notify The Affected Individuals

If the breach is eligible, you must also notify the affected individuals as soon as practicable.

Your notification should provide clear and concise information about the breach, including:

• The types of personal information involved
• The potential consequences of the breach
• Recommended steps individuals can take to protect themselves
• Your contact details for further inquiries.

It’s also worth noting that there are likely to be changes to the NDB Scheme with the expected amendments to the Privacy Act. One significant change is the proposed requirement for organisations to notify the OAIC within 72 hours if it suspects an eligible data breach has occurred. You can read more about the proposed changes to the NDB Scheme.

Have a Data Breach Response Plan In Place

There was an unreasonable delay in approaching and retaining third parties to assist in the management of the data breach in each of the instances outlined above. A data breach response plan can help to reduce these delays. 

A good data breach response plan will include the details of relevant third parties who can assist in case of a data breach, including forensic cybersecurity firms, privacy lawyers, communications consultants, and your point of contact at your insurance company. 

The data breach response should also include information about what your organisation should do after engaging the relevant third parties. In the PLC determination, the Privacy Commissioner highlighted a range of steps PLC could have taken in the first thirty days following the breach:

“Steps the respondent could have taken to try to ensure that the assessment was completed within 30 days include:

1. clearly communicating to all employees, stakeholders and service providers that the assessment was required to be completed within 30 days;
2. prioritising this matter above other routine decisions;
3. assigning a person to be accountable for ensuring the timely completion of the assessment;
4. ensuring the assessment included an analysis of the suspected compromised personal information included in the relevant email account, not just an investigation of the circumstances of the unauthorised access;
5. monitoring progress of the assessment and investigation; and
6. planning effectively from the outset, including by having a data breach response plan in place.”

Ideally, your data breach plan would identify a list of all steps each accountable person must take following a breach. It should also identify the accountable people, including their contact details. 

Act With Urgency

It’s important to take potential data breaches seriously and to act with urgency following a breach. While a week may not seem like a ‘delay’, it is a long time in the wake of a data breach. Your team should be aware of this so they’re in a position to appropriately prioritise data breach-related tasks. 

Legal considerations aside, if individuals entrust you with their personal data, they deserve to know at the earliest opportunity if someone has access to that data and could cause them harm. Your customers are less likely to be forgiving in instances where the notification is delayed, and your reputation may suffer as a result. 

In terms of legal consequences, the delayed notification may be a factor the Australian Information Commissioner takes into account when determining penalties.

How Can Privacy 108 Help With Data Breach Notifications? 

Privacy 108 has extensive experience navigating and advising on data breach notifications. 

OUR SERVICES INCLUDE: 

• Development, implementation and testing of data breach response plans; 
• Drafting Data Breach Response Policy and procedure documents; 
• Advising and supporting data breach response efforts when a data breach has occurred; 
• Legal opinions on data breach response obligations.

Contact us for more information: