Archive: December 2015

1
Mandatory data breach notification legislation up for discussion
2
APRA raising the bar on Cybersecurity

Mandatory data breach notification legislation up for discussion

By Jim Bulling, Cameron Abbott, Michelle Chasser and Meg Aitken

The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.

Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:

  1. there is unauthorised access or disclosure of information; and
  2. there is a real risk of serious harm to any of the individuals to whom the information relates.

When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:

  1. the kind of information;
  2. whether the information is in a form that is intelligible to an ordinary person;
  3. whether the information is protected by security measures;
  4. the kinds of person who could obtain the information;
  5. the nature of the harm; and
  6. any mitigation steps taken by the company.

If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.

The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.

Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.

The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.

APRA raising the bar on Cybersecurity

By Jim Bulling

At the Association of Superannuation Funds of Australia (ASFA) conference held in Brisbane in the last week of November, Stephen Glenfield, APRA’s General Manager of the South West region indicated that an area of significant interest for APRA during 2016 would be the extent to which superannuation funds were prepared for cybersecurity risks.

Mr Glenfield indicated that APRA would be conducting a thematic review of superannuation funds during 2016 which was designed to provide APRA with much more detailed information about the processes that superannuation fund trustees were putting in place to protect their funds and their members from cybersecurity breaches.

As thematic reviews carried out by APRA are usually precursors to further regulatory or prudential reform, this announcement should alert superannuation funds to expect more comprehensive regulatory requirements in relation to the cybersecurity risks in the near future.

It is expected that APRA will be particularly interested in understanding how superannuation fund risk management frameworks address cybersecurity risks and how trustee boards are involved in the oversight of cybersecurity risk management. A likely focus of the reviews will be investigating the measures which superannuation funds have established to:

  • identify critical assets and data
  • protect such assets and data
  • promptly detect when breaches have occurred
  • respond to breaches including communications and reporting
  • recover from breaches including reinstatement of systems and learnings from incidents.

This initiative comes on the back of ASIC’s release during March of this year of its Report 429 on Cyber Resilience and underlines how Australia’s financial system Regulators are becoming much more concerned about cybersecurity risks.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.