Exclusive: Data breach notification bill revealed

The Australian Government's plans for a data breach notification scheme have been shared with a small number of key stakeholders as a draft exposure bill, marked as Confidential.

The Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC, was the strongest sign to date that current Government plans to bring mandatory data breach into force.

The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.

A discussion paper was issued in October seeking public feedback on design of the scheme.

The Exposure Draft, marked confidential and circulated by the Federal Attorney-General's Department on a limited basis, provides a first real insight into the Government's thinking about how the scheme may operate.

It appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered.

These triggers for notification vary widely in implementations across Europe and the US, and lawmakers have expressed concern about forcing organisations to report all breaches.

SC Magazine has prepared a one-page guide [pdf] to compliance with the help of our friends at Websense. It is available for download for SC readers.

Sources close to the formulation of the scheme say the laws could at earliest come into force as early as July this year with a grace period for organisations to comply.

The details

Under the draft legislation, the Federal Government would consider a data breach to be serious if an organisation is delinquent in its requirements under the new Australian Privacy Principles to take reasonable steps to secure customer personal information.

The breached data, lost or stolen, would need to expose customers to a "real risk of serious harm" and could be subject to unauthorised access or disclosure.

In other words, there would need to be a less than remote chance that breached data could be used to damage a customer's reputation and hip pocket.

Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations - a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.

Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.

The draft bill was not prescriptive in the technology organisations should use, nor what may constitute "reasonable" efforts to secure customer data.

Organisations could also face fines if their outsourcer is breached under the draft bill. If personal information is sent overseas, the sender is required under APP 8.1 (pdf) to reasonably ensure the receiving company does not breach privacy law.

In the eyes of the Privacy Office, the organisation that sent customer data to an offshore provider remains the guardian of the data. If the Privacy Commissioner finds due diligence did not occur prior to this transaction - and a breach occurs at the third party - the guardian of that data faces a serious data breach.

Data loss stemming from a lack of due diligence in protecting credit reporting and credit eligibility data was also considered a possible serious breach, as was the sending of this data offshore.

Organisations could also face serious breaches if Tax File Numbers were lost or stolen without first being reasonably protected.

Under the draft bill, serious breaches require impacted organisations to send a prompt statement to the Privacy Commissioner, outlining among other elements the details of the serious breach, the compromised information and remedial steps that victims should take.

Exposed customers must also be individually notified using whichever communication channels the organisation normally employs.

The Commissioner could also force the affected organisation to post a public statement on its website and inform media outlets across the states and territories, according to the draft bill.

Law enforcement were exempt under the draft bill to avoid risking prejudice against agency operations.

Such an exemption was flagged as necessary in March by Victoria's Commissioner for Law Enforcement Data Security, David Watts, who said data breach notification laws could threaten service providers with "astonishing reputational damage" but also shake public confidence in the police service and possibly reveal its security vulnerabilities.

The Privacy Commissioner could also provide exemption to organisations from having to publicly report data breaches if it was deemed in the public interest.

It is understood that these exemptions could exist to prevent interruption to data breach investigations.

Operators of the Personally Controlled Electronic Health Record must already report breaches and will not have to report again under the proposed laws.

SC met yesterday with security and IT heads of top tier Australian enterprises to discuss data breach notification. Stay tuned for our analysis, available only to logged-in readers of SC. 

Copyright © SC Magazine, Australia