[BreachExchange] Australia - Government finally moves ahead with data breach notification scheme

Wed Oct 19 19:37:13 EDT 2016

http://www.computerworld.com.au/article/608783/government-
finally-moves-ahead-data-breach-notification-scheme/

The government has finally introduced a long-awaited bill that will create
a mandatory data breach notification scheme.

Justice minister Michael Keenan today introduced the Privacy Amendment
(Notifiable Data Breaches) Bill 2016 in the House of Representatives.

The government committed itself to legislating a data breach notification
scheme in response to the parliamentary inquiry into data retention. The
report of that inquiry was tabled in February 2015.

The government in December 2015 released an exposure draft of proposed
legislation. (A breach notification scheme previously considered by
parliament drew bipartisan support but was not passed before the 2013
election.)

The exposure draft received a mixed reception. Consultation on the draft
finished in March. The Senate as recently as last week called on the
government to legislate a mandatory data breach notification scheme “by the
end of the 2016 sittings”.

The scheme outlined in the revised bill introduced into parliament this
morning by Keenan requires an organisation subject Privacy Act obligations
to notify the Australian Information Commissioner and affected individuals
if it experiences a data breach of the kind specified in the bill (an
“eligible data breach”).

The minister cited the US Office of Personnel Management and Ashley Madison
breaches as demonstrating “the potential harm that can result to
individuals following unauthorised access to or unauthorised disclosure of
personal information”.

“If an individual is at likely risk of serious harm because of a data
breach involving their personal information, receiving notification of the
breach can allow that person to take action to protect themselves from that
harm,” Keenan said. For example, an individual affected by a data breach
may change a password or cancel a credit card, he said.

“Experiencing an eligible data breach under the bill will not necessarily
mean that the entity concerned has breached the existing Privacy Act
information security requirements,” the minister said.

“For example, it’s possible that despite having taken reasonable steps to
secure personal information it holds, an entity may nonetheless experience
a data breach due to human error or other circumstances that are not
reasonably foreseeable.

“Where an entity has reason to suspect that an eligible data breach may
have occurred, the entity is required to undertake a reasonable assessment
of the circumstances. If an entity has reasonable grounds to believe they
have experienced an eligible data breach, after an assessment or otherwise,
the entity must notify the information commissioner and affected
individuals.”

Organisations can notify individuals directly or if that is not practical
publish a notice about a breach.

There are some exceptions to notification obligations. For example, if a
notification could prejudice a police operation or breach legal secrecy
obligations. There is also an exception if an entity “can determine with a
high degree of confidence that it has taken action to remediate the harm
arising from an eligible data breach before that harm has occurred,” Keenan
said.

In addition, an organisation can apply to the Australian Information
Commissioner for an exemption, either altogether or for a specific period.
The Information Commissioner will have the power to investigate
non-compliance with scheme and potentially apply for civil penalties to be
levied.

The bill has undergone some changes since the exposure draft, for example
changing “serious data breach” to “eligible data breach”.

Under the current version of the bill, a data breach is defined as
unauthorised access to, or unauthorised disclosure of, personal information
about one or more individuals. In addition, a data breach occurs when
personal information is lost in circumstances that are likely to give rise
to unauthorised access or unauthorised disclosure.

Serious harm, the bill’s explanatory memorandum states, could include
serious physical, psychological, emotional, economic and financial harm, as
well as serious harm to reputation and other forms of serious harm that a
reasonable person in the entity’s position would identify as a possible
outcome of the data breach.

To give rise to an eligible data breach a reasonable person would need to
be satisfied that the risk of serious harm occurring is more probable than
not, the explanatory memorandum states. The bill outlines a list of
relevant matters to help determine whether that is the case.

“It would not be appropriate for minor breaches to be notified because of
the administrative burden that may place on entities, the risk of
‘notification fatigue’ on the part of individuals, and the lack of utility
where notification does not facilitate harm mitigation,” the explanatory
memorandum states.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161019/ab1ca884/attachment.html>