Earlier this year, we released our inaugural cyber survey report, Perspectives on Cyber Risk (the Report), intended to provide insight into Australian organisations' cyber risk posture and cyber resilience capability.
Perhaps one of the more surprising findings in the Report was that surveyed organisations did not appear to be overly concerned about the risk of regulatory action flowing from a cyber breach.
This blog post sets out some reasons why regulatory issues should be front of mind for Australian organisations should they have the misfortune of suffering a serious cyber breach.
Regulatory action
In a world where the collection of data and personal information can confer significant commercial advantage, more and more personal information is being stored by organisations looking to obtain that competitive edge.1As discussed in the Report, amendments to the Privacy Act 1988 (Cth) (Privacy Act) in March 2014 resulted in a number of additional obligations being imposed on Australian organisations in relation to the storage, use and management of personal information. Unfortunately, from cross-border disclosure to updated privacy management policies, frameworks and collection statements, our experience is that many businesses are still struggling to come to terms with their obligations under the updated privacy regime.
We are also still awaiting legislation imposing a mandatory obligation on Australian organisations to notify affected stakeholders in the case of a serious data breach (discussed in our previous alert here). Pending the enactment of this legislation, data breach notification in accordance with the Office of the Australian Information Commissioner's (OAIC) Data Breach Notification Guide remains voluntary.
Nevertheless, the potential for regulatory intervention in the case of a serious data breach remains significant. In particular, under Australian Privacy Principle 11 (APP 11), organisations are required to take 'reasonable steps' to protect personal information from misuse, interference and loss, as well as from unauthorised access, modification or disclosure. The OAIC's view is that following the Data Breach Notification Guide, and responding appropriately to a data breach (which may include notifying the OAIC and affected individuals), will assist organisations to meet the ‘reasonable steps’ requirement under APP 11. Conversely, failing to take appropriate 'reasonable steps' may mean that an organisation will be in breach of APP 11.
The loss
Under the Privacy Act amendments, the OAIC has been granted additional powers to sanction organisations that do not comply with the APPs. These powers include:
making determinations that compensation is payable to individuals;2
imposing civil penalties of up to $1.7 million for companies and $340,000 for individuals per breach of the Privacy Act; 3and
publication of the outcomes of its investigations where this is consistent with its role as an educator and enforcer of the Privacy Act.4
Having these powers invoked against an organisation may also have serious ramifications for that organisation's reputation, as discussed in our previous blog post.
Although the OAIC has yet to impose any penalties or take regulatory action under the new amendments in relation to a cyber attack and the security of an organisation's systems, US regulatory authorities have been much more active. Both the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) has taken regulatory action against entities who have failed to keep personal information secure. For example the SEC imposed a $75,000 penalty on an investment firm that 'failed to establish the required cyber security policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients'.5. The FTC has broad authority across a range of data protection laws and in protecting consumers. It has been active in taking action against what it describes as unfair or deceptive practices that put consumers’ personal data at unreasonable risk, having brought more than 60 cases since 2002.6Millions of dollars have been paid to settle some of these actions.
The strategy
APP 11 is accompanied by a 46 page Guide to Securing Personal Information that sets out the OAIC's view of what may constitute 'reasonable steps' for the purposes of the APPs.7This includes taking steps in relation to governance, culture and training, technical security and physical security, as well as understanding the risks posed by outsourcing aspects of the organisation's information technology infrastructure to third parties (such as cloud providers).
Demonstrating compliance with the OAIC's Guide to Securing Personal Information, as well as (in the case of a data breach) the OAIC's Data Breach Notification Guide, will assist an organisation to show that it has met the requirements of APP 11.
However, the OAIC is not the only regulator that may take an interest in a data breach. For example, depending on the circumstances, additional sanctions may be levied against:
organisations that are regulated by the Australian Prudential Regulatory Authority (APRA) – which includes banks, insurance companies and most members of the superannuation industry – for failing to comply with APRA’s Prudential Standards, which include specific requirements for privacy and data security;
carriers and carriage service providers by the Australian Communications and Media Authority (ACMA), should they fail to comply with specific requirements under recent amendments to the Telecommunications (Interception and Access Act)1979 (Cth) in relation to maintaining the confidentiality of the metadata they are required to retain;
public sector organisations that are subject to agency-specific legislative requirements;
company directors by the Australian Securities and Investments Commission (ASIC), for breach of their director's duties under the Corporations Act 2001 (Cth), in particular, for breach of their obligation under section 180 of that Act to exercise their powers and discharge their duties with reasonable care and diligence;
listed public companies by the ASX or ASIC for breach of the ASX Listing Rules (which deal with continuous and periodic disclosure requirements);
organisations (and potentially its officers or employees) by the Australian Competition and Consumer Commission, for misleading or deceptive conduct under the Competition and Consumer Act 2010 (Cth), for example, as a result of failing to act in accordance with the organisation’s privacy policy.
This is of course in addition to liability for claims of breach of contract with suppliers or customers, for breach of specific obligations imposed on the organisation in relation to data security, the protection of personal information, and obligations of confidence.
We hope you found this instalment useful (and not too sobering). We will also shortly launch our 2016-17 cyber security survey, and it will be interesting to see whether, given ever increasing press coverage in relation to cyber security and cyber attacks, Australian organisations' perception of regulatory risk has changed in the last 12 months.
1A Chiang, Big data, big traps: How massive stores of personal information can be misused, South China Morning Post (online), 28 April 2015, www.scpm.com.
2Section 60 of the Privacy Act.
3Sections 13G, 80V and 80ZD-80ZF of the Privacy Act.
4Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines available online at www.oaic.gov.au, at 6.37 – 6.40.
5U.S. Securities and Exchange Commission, SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach, 22 September 2015, available at www.sec.gov.
6FTC Privacy and Data Security Update (2015)
7Office of the Australian Information Commissioner, Guide to securing personal information available online at www.oaic.gov.au, at Part B.