Data Breaches – Who is responsible for Information Security?

Data breaches in Australia are on the rise. While most of these breaches affect smaller businesses, there are occasional “major” cyber breaches that affect large organizations and significant numbers of people. With many data breaches in the news recently, many are curious about who is responsible for information security?

The Australian government has taken many steps to strengthen resilience against cyber threats to stem this damaging trend. The steps taken by the Government have placed the primary responsibility for information security on businesses.

In this article, Micaela Diaz, Solicitor at Prosper Law, explains data breaches in Australia and who is responsible for information security.

What is a Data Breach?

A data breach occurs when personal information held by an entity is subject to unauthorized access or unauthorized disclosure of personal information, or a loss of personal information.

Meaning of unauthorised access

Unauthorized access of personal information occurs when someone accesses an entity’s data who is not authorised to do so. This includes unauthorised access by an employee of the company or an independent contractor and unauthorised access by an external third party (e.g., through hacking).

Examples of unauthorised access include:

• an employee searches sensitive customer data without a legitimate reason;
• a computer network is compromised by an external attacker who gains unauthorised access to personal data.

Meaning of unauthorized disclosure

An unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity and releases that information from its effective control in a manner not permitted under the Privacy Act. This includes unauthorised disclosure by an employee of the entity.

For example, an unauthorised disclosure occurs when an employee inadvertently posts a confidential file containing the personal information of one or more individuals on the Internet.

Meaning of loss

Loss refers to the accidental or inadvertent loss of personal information held by an entity under circumstances that may result in unauthorised access or disclosure.

For example, when an employee of a company leaves personal information (including paper documents, unsecured computer equipment or portable storage media containing personal data) on public transport.

Types of personal information involved in data breach

Some types of personal information can cause serious harm to individuals if compromised. Examples of the types of information that may increase the risk of serious harm in the event of a data breach include:

• ‘Sensitive information,’ such as information about an individual’s health;
• Documents commonly used for identity fraud (including Medicare cards, driver’s licenses, and passport information);
• financial information;
• a combination of different types of personal information (rather than a single piece of personal information) that reveals more about the individuals to whom the information relates.

Who is responsible for Information Security?

Businesses are responsible for protecting their own data and consumers – that’s the law. In addition, the Privacy Act 1988 (Cth) provides that in a situation where a company is the victim of fraudulent behaviour, the business is responsible for all damages, including those to the consumer.

Consequences of a data breach on a business

The impact of a data breach goes far beyond the immediate consequences of the loss of important information and the cost of containing the spread.

Here’s a quick look at three of the most significant impacts of data breaches on businesses:

Financial Consequences of a Data Breach on business

According to the Ponemon Institute, the average cost of a data breach is $139 per compromised record, with slight variations depending on the cause:

1. $154 per record compromised by a malicious attack,
2. $130 per record compromised due to a system glitch,
3. $121 per record compromised due to an employee or contractor error.

This may seem low, but 41 percent of organizations surveyed by the Ponemon Institute had more than 1,000 records affected by a data breach in 24 months, bringing the immediate cost of a data breach to more than $100,000.

For publicly traded companies, research shows that stock prices drop five percent after a data breach disclosure. The time it takes the stock price to recover will be prolonged if the company has poor response processes. Moreover, failure to comply with Australia’s new Notifiable Data Breach (NDB) scheme can result in fines of up to $2.1 million.

Prevention is the best strategy – cyber criminals do not discriminate on company size, and these costs can ruin smaller Australian businesses.

Reputational Consequences of a Data Breach on business

With many Australian companies now required to disclose serious data breaches, dealing with reputational damage is a must. Of the $139 lost on average per compromised record, only $60 is attributable to direct actions such as containment and assessment.

That means more than half of the cost of a data breach is due to indirect consequences, such as managing customer turnover after the incident. Some industries are more susceptible to high churn rates than others – financial services and technology companies, where there is an expectation of high-security measures, are particularly hard hit.

Another consequence of a data breach is the loss of your customer base. After a data leak, losing customers is only natural, as many of them will no longer see your company in the same light. Your company will be seen as untrustworthy because you don’t have the necessary means to protect your data.

It may seem unfair since you didn’t ask to be the victim of a data breach, but you alone have the power to prevent it. Marketing campaigns, hiring media managers and building customer trust after a data breach all cost time and money. It’s ideal to avoid such situations in the first place.

Legal Consequences of a Data Breach on business

The NDB scheme has significantly increased the requirements for Australian organizations in detecting a data breach. Beyond the costs of detection, containment, engagement of external parties (such as lawyers and data forensics teams), and reporting, there may also be significant legal consequences.

Class Action Risk

Victims of cyber attacks face significant difficulties in bringing class actions. Unlike other jurisdictions, such as the United Kingdom, Australia does not recognize tortious interference with privacy. The lack of a general cause of action for invasion of privacy means that victims rely on existing common law and statutory causes of action.

Difficulties in relying on these causes of action have included:

• difficulties in recovering damages for mere injury to feelings or humiliation (breach of trust, breach of contract, and misleading and deceptive conduct); and
• hurdles in establishing a duty of care and actual damages in negligence claims.

An example of these difficulties is the decision to approve the settlement in Evans v. Health Administration Corporation [2019] NSWSC 1781, the first data breach class action in Australia. This class action was brought after an Ambulance NSW contractor unlawfully accessed and sold the sensitive information of over 100 Ambulance NSW employees.

This judgement illustrated that legal uncertainty can and will continue to pose a risk to all parties to data breach class actions until a higher court revisits the issue.

Even in jurisdictions where privacy actions are better established, difficulties remain in quantifying claims and determining damages. In the U.K., for example, in Lloyd v. Google, the Supreme Court recently unanimously overturned a Court of Appeal decision that each of the four million individuals in the class action must prove that Google unlawfully used personal data and that they suffered damages as a result.

OAIC Representative Complaint Process

An alternative and more commonly used avenue available to victims of data breaches is to seek redress in a representative complaint to the Office of the Australian Information Commissioner (OAIC) for breach of the Privacy Act.

Once a complaint is made, the Commissioner decides whether to investigate the conduct and must refer the parties to conciliation if she believes mediation has a reasonable chance of success.

After investigating the complaint, the Commissioner may decide whether to award damages for humiliation or injury to the complainant’s feelings.

In a recent decision, Commissioner Falk established five categories of non-economic damages, ranging from $500-$4000 for “general anxiousness, trepidation, concern or embarrassment” to over $20,000 for “extreme loss or damage.” These damages are in addition to economic loss, which is to restore the complainant to the position he or she would have been in had no harm been done.

However, the Commissioner’s decision is not binding or conclusive on the parties or complainants. The Commissioner must commence proceedings in the Federal Court or the Federal Circuit and Family Court of Australia to compel a decision.

Data Breach Claims Between Commercial Parties

Contractual considerations are increasingly relevant for business partners seeking to minimize their liability for data breach losses.

In particular, contractual legal considerations may arise when a data breach occurs to a company that has outsourced the services of IT to a third party that then failed to protect the information. Contractual claims may arise, e.g., warranty/representation claims between a customer and a company (e.g., a minimum level of security controls) or a claim for damages against a third party.

Parties should consider their contractual obligations (including under their outsourcing arrangements) in their contractual agreements.

The loss or damage that may arise may be significant, such as interruption of business if it must be shut down for a period, reputational or other damage to the business, and breach of contract with customers. Whether damages can be claimed for these losses depends on the terms of the contract.

Mitigating risks

Commercial parties may seek to apportion liability for data breach losses between the parties by seeking indemnification from third parties, limiting consequential damages, and incorporating exclusion clauses in their business agreements.

Indemnities for data breaches are increasingly common. They have often drafted independently of the extent to which the outsourced supplier has access to the data. For a data breach indemnity to apply to a supplier, not in the data security business, an explicit mention of data breaches is likely required to ensure that it is not seen as overly broad/ambiguous.

What do I do if I experience a Data Breach?

If a customer’s information has been breached

An organization that complies with the Australian Privacy Act must notify you if a data breach involving your personal information is likely to cause serious harm.

How you will be told of a data breach?

An organisation or agency may notify you of a data breach by email, text message, or phone call. The notification should include:

• the name and contact information of the organisation or agency’s
• the type of personal information affected by the breach
• a description of the data breach
• recommendations for steps you can take in response.

If an organisation is unable to contact all necessary individuals, it must post the data breach notification on its website. You must also promote this data breach notification, for example, through social media, news articles, or advertisements.

What if you are not told of a data breach? 

If you believe you have not been notified of a data breach, contact the company affected by the breach. Ask the company for information about the data breach (including whether your personal information was affected). The company is required to respond to your request. If the company does not respond to your request or you are not satisfied with the response, you may complain to OAIC.

How to reduce your risk of harm after a data breach?

When you learn of a data breach, act quickly to reduce the risk of harm. Keep a record of what you do, because it can be useful if you suffer a loss.

The actions you take will depend on the information affected. Here is the list of information that could be affected by the breach:

• contact information
• financial information
• information from government identification documents
• health information
• sensitive information
• tax file number and tax-related information
• consumer data legal data

What actions you should take after a data breach?

Here are some actions you can take if a data breach affects you:

1. Contact information such as your home address, email or phone number, you should:
   • Change the passwords on your email accounts. If you have emailed passwords to yourself, change them as well. If possible, activate multi-factor authentication.
   • Be careful with emails and phone calls, as you could be a target for scammers. Only share your personal information if you know who you are sharing it with.
2. Financial information, such as your credit card or online banking credentials, you should:
   • Change your online banking account passwords and your banking PIN;
   • Notify your financial institution that your information has been affected by a data breach;
   • Review your bank statements. If you discover purchases you didn’t make, report them to your financial institution immediately;
   • Request a copy of your credit report to check if it contains any unauthorized loans or applications.
3. Government-issued identity documents such as your driver’s license or Medicare data, you should:
   • Contact the government agency that issued the identification document and use the contact information on their website.
4. Health information, such as your medical records or prescriptions, you should:
   • Contact your healthcare provider using the contact information on their website.

Most Importantly, take care of yourself. If your physical safety is at risk, contact the police. Contact your doctor, an emergency service, or your family or friends if you are in need.

What should you do to avoid a data breach?

It’s always better to play it safe than to regret something later on.

If your business has experienced a breach

Businesses have many privacy obligations to comply with. One of them is how to deal with a notifiable data breach (NDB).

Entities covered by the Notifiable Data Breach scheme

• Businesses with an annual turnover of over $3 million (APP entities)
• Small business operators
• Credit reporting bodies
• Credit providers
• TFN recipients
• Entities with an ‘Australian link’
• Entities disclosing personal information overseas
• Entities disclosing credit eligibility information
• Consumer Data Right entities

What Does a Notifiable Data Breach Look Like? 

A data breach occurs when:

• personal information is lost, or there is unauthorized access or disclosure of information to third parties;
• the loss, disclosure or access could result in serious harm; and
• your business is unable to mitigate that harm.

The breach is notifiable if you have met all three conditions. So, if the harm is not serious or you can take steps to reduce it, it may not be notifiable.

What Makes the Harm of a Data Breach Serious for businesses?

Whether a data breach could result in “serious harm” depends on the perspective of a “reasonable person” in the position. Several factors are considered, including:

• whether the harm is financial, physical, psychological, or reputational;
• whether the information lost, disclosed or accessed is sensitive;
• who received or could receive the information; or
• whether effective security measures were taken to protect the information.

For example, an online marketplace was hacked by an untrusted third- party and customers’ personal and credit card information was exposed. This could result in financial loss or identity theft.

Reporting Obligations of businesses after Data Breach

Once you have determined that an NDB has occurred, you must identify both:

• the individual involved;
• the Office of the Australian Information Commissioner (OAIC).

To report the breach to the Office of the Australian Information Commissioner (OAIC), prepare and submit to the OAIC a report of events that includes:

• a summary of how the breach occurred;
• what data was lost, disclosed, or accessed;
• the impact of the breach; and
• your business name and contact information.

How businesses can reduce the risk of harm from a Data Breach

Prevention is key when it comes to data breaches. You can take technological steps to minimize the risk of data breaches, such as:

• using reputable cybersecurity software;
• keeping documents and passwords in secure locations; and
• using email delay features to quickly recall emails that your employees should not have sent.

In addition, you can minimize human error by:

• training employees in the secure handling of personal information;
• appointing a privacy officer;
• using paper shredders and secure waste garbage cans; and
• implementing a privacy manual that outlines procedures for handling personal data.

Regardless of your precautions, you should still ensure that you prepare for a data breach due to factors beyond your control. You can limit the impact of a data breach by implementing a Data Breach Response Plan (DBR Plan). Your plan should include:

• who in the organization is responsible for handling the breach; and
• what actions to take when a breach occurs.

After a security breach, your primary focus should be on mitigating the breach. This means that you must limit the impact of the security breach by:

• recovering the lost data;
• Deleting files remotely;
• Shutting down the system that led to the breach; and
• Revoking certain people’s access to the system.

If you need to talk to an eCommerce Lawyer, get in touch today.

Contact the team at Prosper Law today to discuss how we can provide you with advice for a fixed fee or at affordable hourly rates. Our privacy lawyers can provide a free 15 minute consultation.

Like this article? Check out:

Can I Collect Personal Information From a Third Party?

What Do I Need In A Privacy Policy?

The Most Important Things to Include in Your Privacy Policy