February was a big month. The new data breach notification legislation passed both houses of Parliament and I’m sure you’ve probably spent hours deciphering the law, and contemplating its ability to protect Australians – i.e. your customers. Ok, maybe you haven’t, but I have, and after digesting it all, I think it falls far short of giving Australians the level of comfort around the security and protection of their data they deserve. Here I make my case:
Exhibit 1
The “only notify if it’s really really bad” threshold test
Notification is required only if serious harm is the likely result of unauthorised access to or disclosure of personal information. So, if there is a 30{3eda5e173ca6275da4995c0ae548c8d458796745545971cbe387f3473f149606} chance of serious harm, or a 90{3eda5e173ca6275da4995c0ae548c8d458796745545971cbe387f3473f149606} chance of some ordinary garden variety harm (but not the serious kind) – the individuals whose information is now floating around freely could still be none the wiser.
Exhibit 2
The “sometimes you just get (un)lucky” loophole
Whether the probability of an event is greater than 50{3eda5e173ca6275da4995c0ae548c8d458796745545971cbe387f3473f149606}, less than 50{3eda5e173ca6275da4995c0ae548c8d458796745545971cbe387f3473f149606} or can’t reasonably be quantified at all doesn’t tell us whether it will, in fact, occur. This is why people buy lottery tickets, right? So, what happens if the serious harm is not a “likely” consequence, but it is suffered anyway? Well, this is where this little loophole comes into play, and the organisation with the lax data protections gets lucky while the individual gets unlucky. There is no obligation to notify, and the victim would be left to try to figure out which of the many many organisations that have access to their data was responsible for the leak before they could even have a chance of some sort of remedy.
Exhibit 3
The “close call” exemption
In this case notification is not required if steps are taken before harm actually occurs, and as a result of that action, “a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm” to the affected individuals. So if an organisation manages to discover the problem quickly enough, and take steps to sufficiently reduce either the likelihood or severity of harm, such that it no longer meets the notification threshold, it doesn’t have any obligation to notify the people whose personal information is affected about the breach, either for the purpose of warning them of the remaining possibility of harm to enable them to take protective steps, or to allow them to make an informed decision about whether or not to continue to entrust this organisation with their data. I’m don’t know about you, but I’m not convinced this passes the pub test…
(And as an added bonus, that exemption continues to apply even if the remedial steps that made the serious harm no longer “likely” were not actually successful in preventing the actual harm)
Exhibit 4
The “faster than a speeding tortoise” timeline
When an organisation has reason to believe that there may have been a breach that would require notification, they have 30 days (and in some cases longer) in which to conduct their investigations to determine whether the notification criteria has actually been met. Reflecting on the efforts being expended at this analogue pace to address a very digital problem calls to mind the lyrics of the immortal Carole King …“And it’s too late, baby now, it’s too late, though we really did try to make it.” Considering that in most cases it takes only 3 days after a breach for data to be misused, if any notification does arrive, it will in most cases be much too late for affected individuals to take steps to mitigate the harm to them. It just doesn’t seem fair to leave consumers in the dark for this long when the world of data “misuse” moves at what might be described as lightning pace.
The Verdict
The value of this legislation is that it will force organisations to report on the most serious and dangerous data breaches. It may give organisations an additional incentive to take care with the data that they hold, and although notification of breaches may come too late to prevent harm, knowing the identity of the organisation responsible may in some cases assist affected individuals to obtain some sort of compensation. However, on the whole, for the reasons set out above, it really doesn’t do enough to truly protect Australians and their data, and doesn’t give individuals enough information to allow them to make informed decisions about who to entrust with their data, or what steps to take to protect themselves. Some organisations have always treated their role as stewards of personal information as a position of trust. No doubt, they will continue to do so. For those who take it less seriously, and there will always be some of those, there are still plenty of places for them to hide from the effects of this new law.
About the author
Aviva Levine joined the Digital Alchemy family in 2011 after four years as in-house counsel at AAPT. Prior to that, from 2002-2007 she worked as a solicitor in private practice at Freehills, one of Australia’s largest law firms. Holding a Bachelor of Commerce and Bachelor of Laws from UNSW Australia, she is a Member of the NSW Law Society and the Australian Corporate Lawyers Association.
The opinions expressed above are the author’s own, and do not constitute legal advice.