Mandatory data breach reporting may soon be here

If legislation for mandatory data breach reporting currently before the Senate passes, Australian businesses will be required to publicly disclose any data breaches they suffer.

Mandatory data breach reporting laws have been growing increasingly popular elsewhere in the world - they’re even becoming the norm in the US. In 2003 the state of California introduced a law requiring businesses and state agencies to notify Californians if their unencrypted personal information is compromised in a security breach.

Since then more US states have followed suit, with a total of 47 now having mandatory data breach notification laws, according to the US National Conference of State Legislatures.

Similar laws have been on the Australian horizon for some time. In May 2008 the Australian Law Reform Commission recommended the introduction of laws that require organisations to notify authorities and affected individuals if a breach occurred and if those individuals could experience serious harm as a result.

In June 2013, then-Labor minister and Attorney-General Mark Dreyfus introduced the Privacy Amendment (Privacy Alerts) Bill 2013 to the House of Representatives. The Bill made it to the Senate, but lapsed at the end of parliament last year, before it was able to receive the Senate’s approval.

On 20 March this year, Labor Senator Lisa Singh reintroduced the Bill to the Senate as the Privacy Amendment (Privacy Alerts) Bill 2014. It may have a different year in its title, but the core text is identical to that of the 2013 Bill.

If you want a full rundown of the Bill, head to www.aph.gov.au, search for “Privacy Amendment (Privacy Alerts) Bill 2014” (without inverted commas), and track down the Bill’s first reading. If you don’t want to wade through 4000+ words of legalese, here’s a summary of what the Bill would mean if passed:

• Agencies or organisations that suffer a serious data breach would have to notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
• Notification would only be required if a breach was “serious”.
• A breach notification would have to include a description of the breach, the kinds of information involved, recommendations about steps that affected individuals should take in response to the breach, and contact details of the breached organisation.
• The commissioner could direct an organisation to provide affected individuals with notification of a data breach.
• Law enforcement agencies could be exempt from notification if they felt it could impede some enforcement related activity.
• The commissioner could excuse an organisation from notification if he/she felt it was in the public interest to do so.
• The commissioner could investigate failures to notify, and such an investigation could lead to compensation payments and enforceable undertakings.
• Serious or repeated non-compliance with notification requirements could lead to a civil penalty being imposed by a court.

Consultation

The 2014 Bill has not had any public consultation. But a Senate Committee did take submissions on the previous incarnation of the Bill - it attracted support from some corners and criticism from a variety of privacy and business groups.

The Consumer Credit Legal Centre (NSW) - a consumer advice and advocacy service specialising in personal credit, debt, banking and insurance law - gave the Bill high praise.

“A mandatory reporting requirement such as the one set out in the Bill would ensure that consumers receive the necessary information about how their personal credit reporting information is being protected. The mandatory notification requirement is long overdue, and represents a significant benefit to consumers. We strongly encourage the Senate Committee to endorse the Bill,” the organisation’s submission read.

The Australian Communications Consumer Action Network (ACCAN) wrote that it “encourages the Senate Committee to endorse the Bill”.

Liberty Victoria, a human rights and civil liberties organisation, wrote, “The purpose of the legislation is commendable” but complained that “a large part of the Bill is dedicated to exceptions, the breadth of which […] Liberty opposes”.

The legislation “exempts enforcement bodies from notifying individuals or publishing serious data breaches if it believes on reasonable grounds that it would prejudice one or more enforcement-related activities conducted by it (or on its behalf). Whilst it is foreseeable that in some limited circumstances enforcement bodies would have need of this, it is also foreseeable that it could be used to avoid disclosing almost any breach by those bodies,” Liberty said.

The Cyberspace Law and Policy Centre, part of the University of New South Wales’ Faculty of Law, wrote that while a mandatory data breach notification scheme is “often helpful”, “The Privacy Alerts Bill is however a ‘lite’ version of a Mandatory Data Breach Notification law.

“Future international comparisons may show that, if passed in the current form, it will fall well short of best practice, and there may thus also be many Australians who might expect (and need!) to be notified under this model who may be still left in the current unsatisfactory limbo,” the policy centre wrote.

“The Bill should be passed rather than rejected, but if passed should be substantially amended to address some of its shortcomings.” For one, the policy centre complained that the scope of organisations required to report on data breaches was “too narrow”.

Several business groups complained that compliance with the Bill would create too great a regulatory burden. The Australian Finance Conference (AFC) - an organisation that includes credit providers, financiers, receivables managers and consumer credit reporting agencies - was one such complainant.

“Financial service providers who handle considerable data, and need to hold it for long periods of time, will potentially incur greater costs when compared with other industries where data-handling may not be as significant in terms of day to day operations,” the AFC wrote.

According to the Communications Alliance, “The implementation of a mandatory data breach system is likely to be costly.

“It is also difficult to attempt to quantify the cost of communicating a breach to those affected until the breach has occurred. That is, until an entity has an understanding of the size and nature of a breach, how can it determine the cost of notification?” the Alliance wrote.

“Moving from a voluntary Guide to mandatory legislation will result additional costs to business, including legal counsel, associated with ensuring compliance with a mandatory scheme. That is, what could once be managed through good internal business processes would need be formalised in such a way as to require businesses to seek expert advice to ensure they comply with legislative requirements,” it said.

Serious harm

The definition of the harm that would have to befall a person before a notification was required also attracted criticism. Electronic Frontiers Australia wrote that the definition should be expanded to include “psychological harm, onerousness and inconvenience to the individuals affected, and harm caused by breaches of inaccurate data”.

The Communications Alliance was unhappy with the Bill’s use of the term “serious harm”.

“In industry’s view, there should be a threshold test that industry can use to determine whether ‘serious harm’ could or would be caused. It is noted that both ‘risk’ and ‘real risk’ are defined within the legislation, as well as ‘harm’ but there has been no attempt to define the concept of ‘serious harm’,” the Communications Alliance wrote.

“Further, in the absence of a definition of ‘serious harm’, it is possible that the legislation will cause an organisation to take a risk-averse position in order to avoid breaching such an obligation. This could, potentially, result in over-reporting of relatively minor data-related errors,” the Communications Alliance wrote.

Many commentators - from both privacy and business groups - complained of the short time span they had to comment on the Bill.

Liberty Victoria, for example, wrote: “We note with extreme disappointment that public comment opened on 18 June 2013 and closed two days later on 20 June 2013. This is a not conducive to open and transparent Government and it is extremely unlikely that many members of the public or any other interested party will have had time to review the Bill let alone prepare submissions to this Committee.”

What happens now

Based on the Bill’s second reading debate in June, it seems Labor and the Greens will vote to support the Bill. The Coalition’s comments were a little harder to interpret, with many Coalition senators saying the government supports the principle of the legislation, but not Labor’s version of it. Liberal senators David Fawcett and Richard Colbeck provided perhaps the clearest signals of the government’s intent.

“We support it in principle but there needs to be more considered input from the stakeholders, particularly civil society, before we would support moving forward with it,” Fawcett said.

“When you have the Australian Privacy Foundation also expressing concerns, that is a fair indication of why proper consultation should be put in place and why we do not support this piece of legislation,” Colbeck said.

Let’s assume Labor, the Coalition and the Greens will vote along party lines. With 33 seats, the Coalition would need the support of five of the eight remaining crossbenchers to attain the 38 required to block the Bill.

Conversely, with 35 votes for the Bill, Labor and the Greens would only need four of the eight crossbenchers to reach 39 votes to get the Bill over the line.

Looking at the numbers alone, the vote could go either way.

Bruce Arnold, Assistant Professor in Law at the University of Canberra, said, “I honestly don’t know [how the vote will go]. The Palmer United Party at the moment is unpredictable.”

David Vaile, executive director at UNSW’s Cyberspace Law and Policy Centre, said of the crossbenchers: “I don’t think you can tell. The crossbenchers in the Senate have been very surprising in their approach. Strangely enough, they have sometimes been quite well tuned in to the view from ordinary people. At other stages, they’ve been obviously very empathic to the needs of industry.”

Anne Robins, research director at Gartner, said some in the crossbench are likely to vote against the Bill, not because they believe it too onerous, but rather “they think it’s not strong enough”.

“What I’ve seen come out from the Coalition would indicate that they’re playing more of a ‘not due process’ sort of game, rather than coming up with any specific comment around the content of the Act, and maybe that’s a mechanism for them to defeat it here and then perhaps take a different approach,” Robins said.

And senators might not vote along party lines. “We may well see some expressions of concern on the part of the Liberals. It’s easy to say that there’s some sort of absolute party discipline,” but that’s not the case, Arnold said. “There is a real spread of opinion and knowledge,” Arnold said.

Assuming that the Bill passes the Senate in some form, what will it ultimately look like?

Arnold said it’s hard to predict, but “I suspect if it goes through, it will go through pretty much like what we’ve got at the moment”. Then, if it is passed into law, there will be five to ten years of lobbying from various parties and commentators to modify the law - potentially weakening, strengthening or tightening it up in some way.

Robins said, “If I was going to bet, I would say I think they’ll at least do one pass around of having a go at changing it. But, to be honest, I think it’s doomed.”

The analyst said that, considering some of the issues with the Bill, “perhaps this isn’t the right vehicle to achieve” mandatory data breach reporting. “Trying to chip away at [the Bill] … around the edges, perhaps isn’t going to get us that much closer. It may be an opportunity to take a step back and consider how a simpler, more streamlined process may achieve the same outcome but actually be a win for everybody.”

Given the complaints from all sides, is it too much to change?

“I think what you need is an intelligent version two of the model that identifies the underlying features of the various complaints and tries to see which of those are competing and opposing, and which [can be resolved to] make everyone a bit happier,” Vaile said.

It’s hard to say when the Bill will be heard again in the Senate, Arnold said, with many behind-the-scenes factors influencing when senators consider or vote on a Bill.

If the Bill - or some form of the Bill - is passed, it’s likely that businesses would have some time to prepare for the changes.

“Usually there’s a transition period. A nice example was the big changes to the Privacy Act, where basically business had two years to get ready. With something like this, it’s unlikely that it would come into effect straight away,” Arnold said.

Image credit: ©James Thew/Dollar Photo Club