This Insight summarises data breach reporting obligations for Australian organisations and agencies under the Privacy Act 1988 (Cth) (Privacy Act) and Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), and best practices for businesses to follow when responding to a data breach.
As well organisations may have contractual reporting obligations under insurance and supplier arrangements which may impose different triggers and timelines for reporting.
It is important for businesses to be aware of their reporting obligations as failing to comply could lead to severe penalties and legal action.
Reporting data breaches
Reporting obligations for Australian businesses are extremely important. In certain situations, reporting data breaches to authorities may provide an opportunity to mitigate the harm that could arise from the incident.
Mandatory reporting obligations under regulation serves to alert businesses on the prevalence of cyber threats. It deters them from using poor data management practices and encourages them to implement stronger safeguards. It gives individuals the opportunity to take necessary steps to prevent or lessen harm occurring from a breach and reminds individuals why safe cyber practices are important.
Mandatory reporting of data breaches also provides regulators with valuable information on the prevalence of data breaches in Australia, allowing them to recognise trends and take steps to combat the problem. For example, the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches report found ransomware was the most common cyber security incident, accounting for 31% of reported data breaches. This information could direct businesses to target staff training in anti-ransomware practices.
Australian Privacy Laws
The Privacy Act governs the collection, use, disclosure, management, storage, and security of personal information. It mandates responsible data management and improves reporting practices across Australia. The Privacy Act currently contains strict consequences for any privacy law breach, often leading to regulatory actions and penalties.
The Privacy Act covers organisations with an annual turnover of more than $3 million and Australian Government agencies. However, in 2024, reforms are set to expand the coverage of the Privacy Act to smaller/all businesses.
The Notifiable Data Breach Scheme
Introduced in 2018, the Notifiable Data Breaches (NDB) scheme is a key component of Australia’s privacy regulations and mandates certain reporting obligations.
Under the NDB scheme, any organisation or agency bound by the Privacy Act who has reasonable grounds to believe that an ‘eligible data breach’ has occurred must promptly notify affected individuals and the OAIC if the data breach is likely to result in serious harm to an individual whose personal information is involved.
Where it is not immediately clear if a data breach has occurred, you must conduct an assessment to determine if it is a notifiable data breach.
A breach will be an eligible data breach and notifiable if:
- there is unauthorised access to or disclosure of personal information held by an organisation or agency;
- this is likely to result in serious harm to any of the individuals to whom the information relates; and
- the organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.
Examples of serious harm include:
- identity theft, which can affect your or your business’ finances and credit report;
- financial loss through fraud;
- a likely risk of physical harm, such as an abusive ex-partner;
- serious psychological harm;
- serious harm to an individual’s reputation.
Under the NDB scheme entities may develop their own procedures for assessing a suspected data breach, but it must be reasonable and expeditious. The OAIC recommends the following 3 step process:
- Initiate – determine if an assessment is necessary and identify who will be responsible for completing it.
- Investigate – gather relevant information about the suspected breach, such as the personal information affected, who has access, etc.
- Evaluate – based on the investigation, decide if an identified breach is an eligible data breach.
Security of Critical Infrastructure Act 2018 (Cth)
Entities responsible for critical infrastructure assets must report certain types of cyber security incidents affecting that infrastructure. Initially the assets comprised traditional infrastructure – water, gas, electricity, and ports. It has been expanded to include 11 sectors such as communications, financial services, data storage and processing, healthcare, food and groceries and transport.
Under the SOCI Act, if you become aware that a critical cyber security incident has occurred, or is occurring, and the incident has had a ‘significant impact’ on the availability of your critical asset, you must notify the Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware of the incident. If you make a report verbally, you must make a written record through the ACSC’s website within 84 hours of the verbal notification.
Whether a cybersecurity incident is having or likely to have a ‘relevant impact’, you must notify the ACSC within 72 hours of becoming aware of the incident. If you make the report verbally, you must make a written record within 48 hours of the verbal notification.
The Cyber and Infrastructure Security Centre (CISC) guide to Cyber Security Incident Reporting here describes when an incident has a ‘relevant’ or ‘significant’ impact.
Cybersecurity incidents can be reported through the ACSC’s website here.
Responding to Data Breaches
Identify the breach
A data breach can manifest in many forms, including cyberattacks, simple human error and physically stolen information. Cybersecurity training for employees in an organisation is essential to ensure they are able to recognise potential breaches to deal with them swiftly.
Enact your response plan
Your business should have a detailed response plan in place to respond quickly and sufficiently to the breach. This will involve drawing on a wide range of experts, including technical advisers, legal advisers, data forensic specialists and crisis communications consultants. Your experts should be familiar with your business and systems and you should have a good relationship with them. Maintain a detailed list of the response team members and how they can be contacted during and after office hours, having regard to the fact a data breach may occur at any time.
Your response plan should lay-out clear action steps encompassing your containment strategies, risk assessments, and notification obligations and how to comply. During this process, you should be documenting each action step, in detail, to meet your Privacy Act compliance obligations.
Run regular training sessions and full-scale tests on your response plan so as to correct any inefficiencies within the response plan and be prepared for a cyberattack.
There are three key reporting obligations if you have reasonable grounds to believe your business has been subject to an eligible data breach (ASX listed entities have more):
- Notify affected individuals
Individuals who are at risk of suffering serious harm as a result of the breach must be notified by the organisation. This type of notification should include information regarding the breach, the kind of information lost and recommended steps for them to take.
- Notify the OAIC and other regulators
OAIC must be notified of the organisation or agency’s name and contact details, a description of the data breach and recommended steps individuals should take following the breach. Depending on the nature of the assets you may also need to notify the ACSC.
- Notify key contractors
Many key contracts will have contractual obligations requiring your organisation to notify suppliers or customers or other stakeholders of data breaches. These contracts may all have different notification triggers.
ASIC reportable situations regime
During 2022-23, the Australian Securities & Investment Commission (ASIC) focused on improving the operation of the reportable situations regime. The developed regime which applies to Australian Financial Services (AFS) and credit licensees places additional reporting obligations on these licensees if a data breach occurs.
Under the regime, AFS and credit licensees must report all ‘reportable situations’ to ASIC in writing. Reportable situations include:
- significant breaches or likely significant breaches of ‘core obligations’ under ASIC Regulatory Guide 78;
- investigations into whether there is a significant breach or likely breach of a ‘core obligation’ if the investigation continues for more than 30 days;
- the outcome of such an investigation if it discloses there is no significant breach of likely breach of a core obligation;
- conduct that constitutes gross negligence or serious fraud; and
- reportable situations about other licensees.
AFS and credit licensees must notify ASIC of reportable situations within 30 calendar days of becoming aware that there are reasonable grounds to believe a reportable situation has occurred.
For more information on reportable situations for AFR and credit licensees visit the ASIC website here.
Failing to report a data breach can result in significant penalties for your business. You may be liable to pay for any damage suffered by third parties as a result of the breach, incur costly fines, and suffer reputational damage.
Contact Sainty Law at firstname.lastname@example.org for assistance with complying with your data breach legal reporting obligations and establishing processes to facilitate this compliance.