The Ashley Madison hacking incident has, among other things, renewed interest in mandatory data breach notification.

Before the last Commonwealth election the previous government had announced an intention to amend the Privacy Act 1988 to introduce mandatory data breach notification which we considered at the time. While it may seem obvious, it can actually quite complex in practice to determine whether or not a notifiable security breach has occurred for legal purposes.

Under the 2013 draft notification provisions, a serious data breach was defined to have occurred where:

  • there has been unauthorised access to, or disclosure of information, and information has been lost in circumstances that could give rise to unauthorised loss or disclosure
  • there is a real risk of serious harm to any of the individuals to whom the information relates as a result of the breach.

If a serious data breach occurred, the affected entity would have had to, as soon as practicable after it has formed a view on reasonable grounds that there has been a serious data breach:

  • give notice of the breach to the Privacy Commissioner
  • take reasonable steps to give notice to each of the individuals significantly affected by the breach. When the Parliament was prorogued for the September 2013 election, the Privacy Amendments (Privacy Alerts) Bill 2013 lapsed.

In the Government’s 3 March 2015 Response to Recommendation 39 of the Parliamentary Joint Committee on Intelligence and Security report on the Data Retention Bill, the Attorney General and Minister for Communications announced that the government agreed “to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on the draft legislation.”

According to recent press reports, an exposure draft of the legislation will be released soon and the government will consider the view of industry and other stakeholders before finalising the legislation.

It will be interesting to see how different the new draft legislation will be from the 2013 version, including the scope of coverage of the breach notification obligations, who must be notified and what exceptions or new inclusions will apply.

For example:

  • Will the mandatory data breach notification obligation apply only to information retained under Data Retention obligations, or all personal information held by APP entities?  It seems likely that it will apply to all personal information held by any APP entity.
  • While it is likely that ISPs holding retained data will have to report any breach, will that obligation extend to law enforcement and national security services who access it?
  • Will it be possible to opt out?  One might think that some subscribers to Ashley Madison, for example, would prefer not to be sent an email confirming that personal information in relation to his* account had been breached.

*According to reports, 95% of Ashley Madison’s subscribers are men.