Peter A Clarke

Australia is yet to have mandatory data breach notification legislation. The Attorney General’s Department has published the submissions it received to the draft serious data breach notification bill.

Notably  the submissions state (taking the highlights):

• Avant Mutual Group Limited, a medical defence organisation.  Against. The complaint in essence is the “..enormous regulatory and compliance burden on medical practitioners, who are already required to comply with Commonwealth privacy legislation even though they might be small businesses: organisations that hold health information are not able to take advantage of the small business exemption under privacy legislation.”  In other words Avant complains that its members can’t enjoy the benefit of one of the Privacy Act’s biggest flaws, the poor coverage with the small business exemption. It also essentially claims that Avant provides advice as to manage privacy breaches including “..including notifying patients where appropriate and taking remedial steps to lessen the impact.”  Not an uncommon response from a mutual defence fund.  As a policy document there is less to it than meets the eye.
• The Association for Data Driven Marketing and Advertising. Not supportive.  It says the evidence to support such legislation is lacking.  That is a very myopic view.  The complaint about potential to cause notification fatigue runs in another direction.  It assumes too many notifications.  Of data breaches.  As in there is evidence to support such legislation.  The complaint about a real risk of serious harm is legitimate.  It is a poor definition.  Generally this is a muddled, self serving, submission.
• Australian Bankers Association.  Nuanced.  In its detailed 11 page submission it raises the weaknesses in the Bill.  It is a well drafted document.  It should be considered closely and taken very seriously.
• The ABC. Neutral.  The ABC’s submission is a technical analysis.  It takes issue with the 30 day rule on notification, section 26WC(2) and when an organisation ought to be aware of a data breach.  It quibbles with the consistency of the cross border obligations under APP 8.1 and the provisions of the bill.  It also complains about the breadth of harm.  It is quite a good submission. It seeks to raise the bar for triggering the notification and compliance.
• Australian Communications Consumer Action Network (ACCAN).  Supportive.  The amendments it seeks is to shorten time frames for reporting and removing mitigation
• Australian Finance Conference.  Not oppose but the effect of the submissions would be to weaken the operation of the legislation.  The AFC seeks to include reference to amending 26WB so as to “clarify” the meaning of what is rendered unintelligible by making specific reference to encryption with a definition of encryption being “..rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The presumption is that encrypted information is “outside the data breach notification requirements.”  As with other submissions there is concern about the meaning about “real risk” and “serious harm”.  The AFC complains about the notification requirements, in particular the “ought reasonably to be aware” obligation.  The argument is that it leads to hindsight analysis.  This argument lacks logic and the other arguments are more confection than analysis.  The “ought reasonably..” formulation is well used in statutes and long considered by the courts.  Not having it there is a worse outcome for proper functioning of the legislation.  The AFC wants to broaden the exemption power of the Privacy Commissioner under section 26WC (7).  The AFC raises concerns on situations where there is a breach in the distribution network and the issue is who notifies.   This is not a significant issue.  The legislation is clear on who notifies
• Australian Information Industry Association. Cautiously supportive but recommends amendments.  It joins with others in criticising the definition of real risk of serious harm.  It asserts notification fatigue, which is more speculative than an actual problem, and seeks to raise the bar on when notification is made.  The Association moves into dangerous territory when it seeks to lessen responsibility for breaches by third parties who are holding the personal information.  This is silly.  It also wants to loosen the requirements about time to make an assessment by removing reference to “as soon as practicable”.
• Australian Information Security Association.  The submission was based on a survey of members rather than an analytical submission.  Very supportive as a principle, regarding the legislation as a good first step only.  But with amendments.  As with other the definition of real risk and harm are criticized.  The Association wants to lower the threshold for notification.
• Australian Law Reform Commission.  Supportive save that it would prefer all recommendations made, most of which were included in the Bill, be included in the Bill.
•  Australian Privacy Foundation.  Very supportive.  Amendments proposed.  As I was one of the key drafters of the submission it is hard to comment further.
• Australian Retail Credit Association.  Not opposed but the recommendations would weaken the legislation.  The Association complains about definition of harm and real risk.  That is common to many submissions.  it also complains about the meaning of reasonable grounds.  This is a non issue.  The law has long considered this concept.  It does not require massaging.  The complaint about ought reasonably be aware is the subject of concern.  It says that the 30 day period is too short.  It raises issues of joint holding of information.  This complaint is more illusory than real if proper enquiries are made. A “safe harbour” provision for encrypted data is recommended. Bad idea even if it is part of Californian law.
• BSA – the Software Alliance.  Generally opposed. Another complaint about the definition of a serious data breach and “as soon as practicable.”  It seeks to have a two step approach to breach notification.  Not a good idea.
• Communications Alliance.  Generally negative, seeks amendment which would reduce the effectiveness of the legislation.  There are legitimate concerns including the meaning of serious data breach, real risk and serious harm.  And there is a lot of what ifs in the submission, such as the risk of multiple notifications for the same breach.  I am far from convinced this is a real problem.  As with the unenthusiastic the recommendations run to increasing the threshold for notification, placing considerably more weight to mitigation, including having encryption and wanting a longer time frame to notify. And the Commissioner should have a broader power to exempt but more weighting be given to remedial steps to reduce any civil penalty.
• Insurance Brokers – Cyber Data-Risk Managers.  Supportive in a short submission.
• Cyberspace Law and Policy Community. Very supportive in a long and detailed submission.  Recommends amendment which would strengthen and not lessen obligations on organisations and entities.  That includes clearer specification on what alternative notification arrangements, increased penalties, compel notifications to consumer reporting agencies, make an entities role clearer, requiring all breaches to be notified to the Privacy Commission and notification mandatory for breach of encrypted data.
• Department of Employment. Supportive.  While it finds a 30 day time limit as appropriate it recommends a power to extend time.
• Department of Finance.  Supportive but… It sees no need to notify the Privacy Commissioner in all cases of serious data breach.  In that context it doesn’t like the definition of serious data breach.  It likes the 2 tier system of notification in California.
• Department of Immigration and Border Protection.  Supports but wants changes.  Wants longer time to assess and to notify the Commissioner.  It is concerned about the interaction between the legislation and its secrecy provisions in its legislation.  Wants better guidelines from the Privacy Commisioner.  It is not alone there.
• Department of Social Services.  Doesn’t say one way or another.  Generally it says it will work but require a lot of work to comply.
• Digital Industry Group.  Not supportive. Thinks the voluntary notification system works.  If the legislation is enacted it will set a high threshold for notification and a lot longer to investigate and on that note the OAIC should share the burden.  And no penalty or rare penalty proceedings.
• Electronic Frontiers Australia.  Very supportive.  It should involve a statutory right to privacy.  The EFA doesn’t like the meaning of serious risk and serious harm.  The threshold should be a real risk of harm and a significant breach.
• Financial Services Council.  Lukewarm, bordering on the chilly, support.  Recommends a two tiered approach to notification, the OAIC provide guidance on when not to notify (where minimal impact).  This is not practical and won’t happen.  The guidelines have no force of law.  It dislikes the phrase “ought reasonably to be aware”, as if this phrase has never been considered by the courts. It does not want to consider the impact on individuals but rather groups of individuals.  And increase the situations when notifications are not required.
• FireEye.  Supportive.
• GRC Institute. Not stated but wishes to loosen the obligations.  It dislikes the definition of serious harm and wants to give “..latitude to organisations for reasonably general assumptions about the circumstances of the individuals affected by the breach and/or the circumstances of the breach.” Whatever that means. Wants extra latitude when dealings with overseas recipients.  Instead of 30 days to assess and notify wants 21 – 30 days for assessment nand 14 days for notification.
• IDCARE.  Very supportive.  It wants more clarity on what constitutes “sensitivity” of information. It’s view is that “..organisations that have experienced data breaches and the clients and staff impacted can hold vastly different views on what is “sensitive”, what is “harmful”, and what are effective “mitigation steps”.  That is quite a valid criticism.  Especially if there is poor regulatory oversight.  It is a particularly useful submission as it sets out details of data breaches.
• International Board of Directors ISACA.  Supportive.  It wants provisions to specify the qualifications of those who evaluate data breaches & some provision relating to ICT governance.  That is unlikely to happen.  It also seeks more guidance on what is meant by serious harm.
• Insurance Council of Australia. Supportive but wants significant amendments which may limit its operation.  It does not like the definition of harm and risk.  It wants more specific definitions.  That is hardly a surprise for an insurance lobby group.  It complains that the Explanatory memorandum regarding section 26WB(3)(b) & (d) goes beyond the provisions of the sections themselves.  I am not convinced.  In any event the the provisions are the starting point.  Again there is a call for more guidance.  The problem is that the Guidance is not a regulation.  The Council also complains about the “ought reasonably be aware” phrase and the 30 day period.  It believes that sections 26WB(1) and 26WC do not properly interact. I am not convinced.  It also seeks more specific drafting on the section 26WC(3)(d) and what should be in a notification.  This is probably unduly limiting.  It also seeks to limit the scope of the Commissioner’s powers under section 26WD(2)(b). The Council raised the operation of section 7B(5) with sections 26WB and its requirement to comply with the Privacy Act under government contracts.  That has more to do with the relationship between the Council’s members and the government providers rather than a flaw in the legislation.
• Interactive games and entertainment association.  Not supportive.  The voluntary system fines it says.   As with others it seems to wants more comprehensive guidelines.  This is an erroneous approach.  Courts may provide more substance but he guidance has no legal power.  It may, culturally, limit the Commissioner’s office. It wants to limit the personal information that would carry with it a risk of harm.  It shouldn’t cover material which the individual has consented to be used by third parties.  This is nonsense.  The whole idea of  data breach notification legislation is what is unauthorised access and/disclosure.  It wants more weight given to reasonable security measures.
• Law Council of Australia.  Supportive. The LCA has produced a very detailed analysis. It wants an earlier start date.  It wants to remove “other information” from section 26WA.  Probably not necessary but understandable. As with a number of other parties, it does not favour having a regulatory power associated with the legislation.  It wants to tighten the definition of risk from being not remote to one of “‘real risk’, ‘likely risk’ or ‘probable risk’.  This recommendation is reasonable but much ado about nothing in the practical administration of the legislation.  It seeks a more generic list of relevant matters.  It does not like the definition of harm and prefers reference to loss and damage.  I doubt this is an improvement.  Far from it.  It also does not like “ought reasonably be aware” within the timing provision of section 26WC(1) and seeks to have reference to “if ‘reasonable steps were taken to ensure security of personal information, the entity would have been aware’ or a similar formulation that aligns with APP 11.” The proposed amendment is interesting but risks being cumbersome.  APPs being generalised principles the wording does not add clarity.  In any event it is likely to give rise to a two stage process, determining whether reasonable steps were taken in security set up for the purpose of APP 11 and then applying to the fact situation. Why not have the courts consider them and provide structure to this provision.  It recommends permitting the Commissioner to extend the 30 day time limit.  A reasonable approach provided there are some in built constraints on the use of the power.  It also wishes to have one party provide notification where there is a data breach and multiple parties hold personal information.  This is an illusory problem.  If the  data breach affects one organisation it provides the notice.  Other parties may hold the personal information but not be subject to a data breach.  They don’t need to make a notification.  In the rare event where multiple parties are affected by one or more data breaches involving the same personal information then it is reasonable for all impacted organisations to provide notice.  It also wants a more stringent provision regarding public interest notices and exceptions relating to law enforcement or national security bodies.  As with many other submissions it highlights the need for proper resourcing of the Commissioner’s office.
• Law Society of New South Wales.  Supportive.  In its brief submission it wants more specificity in the definition of risk and wants clarification on who sections 26WB(1) and WC will interact.  I am not as convinced of the latter problem.
• Liberty Victoria.  Very supportive.  It wants more resourcing for the Commissioner.
• Macquarie Telecom. Supportive.  It argues that several entities being required to notify arising from the same breach.  It also complains about the terms serious breach and serious harm.  It also wants to increase the threshold of harm to be increased by removing reference to emotional and psychological harm.
• Microsoft Australia.  Supportive.  The main concern relates to the operation of section 26WC(1) and its ability to comply with it as it may not be able to communicate with individuals.
• Miga.  Not supportive of the concept but is taking a practical approach.  It takes issue with the definition of a serious data breach, risk of serious harm and does not support the likely prospect that the release of health records will require notification.
• Nicole Murdoch.  Very supportive.  She supports stronger controls and shorter notification times. And less emphasis on mitigation steps as a relevant factor.
• Nuix Pty Ltd.  Very supportive.  It wants other supports and subsidies to educate organisations.
• Office of the Australian Information Commissioner.  Supportive.  The OAIC is supportive of section 26WC where a entity will make its own assessment.  This is disputed by some parties and I have concerns about the quality of the assessment being affected by other factors.  It is more a paean than submission.
• Office of the Information Commissioner Queensland.  Supportive. It does recommend that where the threshold for notification is not met in the event of a data breach then an entity should record instances where privacy has potentially been compromised.  A good idea however it requires discrete drafting and right of the Commissioner to inspect.
• Paypal. Grudging support.  It is concerned about the definition of harm. It wants to specify and limit the definition of harm.  That will limit the disclosable circumstances.  It also complains about the evaluation of risk process.
• Protiviti Pty Ltd. Supports but doesn’t think the legislation will improve data security.  It is hard to argue with its statement “…in our experience, many entities still do not have adequate controls in place to prevent data breaches or to detect them when they have occurred.”  That is my experience.  It does have problems with what constitutes reasonable grounds and what is a serious data breach.  It’s proposal to have an avenue to approach the Commissioner for advice along equivalent to a private ruling by the ATO is fraught.
• PwC.  Generally supportive. In a long submission the PwC wants a raft of changes including applying the reasonable person test, issue guidance about “ought reasonably be aware” (a bad idea), obtain an extension on the 30 day assessment period, clarity on the encryption provisions, responsibilities vis a vis entity and their contractors.
• Council of Records and Information management.  Supportive.  But wants changes to the 30 day assessment rule and some form of tiered level to exposure of risk. And a 30 day specified compliance under section 26WD(5),
• Telecommunications Industry Ombudsman.  Supportive.
• Telstra. In a covering letter plus annexure.  Supportive.  But wants changes.  Remove “ought reasonably to have become so aware” and limit the operation of “reasonable grounds”.  It doesn’t like the ordinary person test.  It has company with that submission.  It raises the issue of multiple parties holding personal information, especially a contractor.  It proposes no solution.
• Terry Darling.  Drafted in neutral terms but generally .  He complains about the definition of serious data breach, serious harm and real risk.  He wants the factors set out in Division 2 to be specified in more detail.

The Mandatory Data Breach Notification Bill is unlikely to be presented until at least September/October, at the earliest, given Parliament will be prorogued in May, an election held in July and the Parliamentary machinery not coming on line until at least August.

The Privacy Commissioner has released his Guide to Data breaches.

The Media Release provides:

We have also included a handy checklist to help you quickly determine whether your existing data breach response plan covers all the relevant elements to respond to a data breach.

So to begin developing your data breach response plan, or to see if your current plan meets best practice, see our Guide to developing a data breach response plan.

The Guide is drawn in very broad terms but does serve the important purpose of providing a structure for an organisation to develop a plan.  It provides, absent footnotes:

To highlight how prevalent data breaches are and the consequences a few very recent examples:

• The Pain treatment centre of America notified 19,397 patients about a breach (described as incident)
• 700 people who sought accomodation through the University of Prince Edward Island have had their personal information leaked in March which resulted in an embarrassing story on CBC News