Mandatory data breach notification on the agenda again

Federal Parliament commenced sitting on 30 August 2016 and the long-proposed mandatory data breach notification legislation is again on the newly returned Coalition Government’s agenda. Currently, the Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks likely to change soon.

The Department of Prime Minister and Cabinet’s list of legislation proposed for introduction in the Spring 2016 parliamentary session (which runs until 1 December 2016) includes the Privacy Amendment (Notifiable Data Breaches) Bill (Data Breaches Bill). The Data Breaches Bill is marked as being proposed for introduction and passage in the Spring sittings, so the Government is aiming to have the Data Breaches Bill passed by the end of the year.

While the new Senate has an increased number of cross-bench senators, a mandatory data breach notification scheme has been previously proposed by the Labor party and the Greens also appear to support its introduction. With this in mind, it is possible that the Data Breaches Bill could pass relatively quickly through the Parliament and indeed become law by the end of this year.

As mentioned in our previous updates, it is unclear if the Government has made any changes to the Data Breaches Bill as a result of feedback received from industry and consumer groups, major companies and other government bodies on the exposure draft of the legislation that was released in December 2015 (Exposure Draft). While the title of the bill has changed (it was previously the Privacy Amendment (Notification of Serious Data Breaches) Bill), it is unclear at this stage whether there have been any substantive changes to the bill since the Exposure Draft was released. We will need to wait until the Data Breaches Bill is formally introduced into the Parliament to confirm this.

What should I do?

Under the Exposure Draft, data breach notification obligations would come into effect 12 months after the bill received royal assent. It is likely a similar period will apply for the Data Breaches Bill. Accordingly, it is possible that data breach notification obligations could become part of privacy compliance obligations under the Privacy Act by the end of 2017. We will continue to monitor the introduction and passage of the Data Breaches Bill.

While still some time away, organisations and agencies need to be pro-active and should start preparing for the introduction of mandatory data breach notification obligations now. Not only should internal data breach response plans and processes be updated, but contracts with external service providers who handle personal information should be updated to include an obligation to notify in the event of a data breach.

It is critical to have a data breach response plan setting out what to do if a data breach occurs. Also, many breaches arise from weaknesses in external service providers’ IT systems, rather than your own systems. It is therefore important to have a vendor cyber-risk management framework in place. Norton Rose Fulbright has developed two fixed price cyber-risk management packages to address these issues. Please contact us for further details.

In addition, should you become aware of an actual or potential cyber-incident (including data breach and network interruption), Norton Rose Fulbright offers a global 24/7 incident response service. As ‘breach coach’, we work with you to provide a streamlined response by assessing the size and nature of the incident, taking steps to contain it, and co-ordinating our panel of carefully selected third party vendors, all the while managing stakeholders’ interests and mitigating potential loss. Our early involvement and establishment of legal professional privilege protects you to the maximum extent possible as far as sensitive communications are concerned.