CyberFiles | Privacy Edition15 February 2017 | CyberFiles
Third time’s a charm. The long awaited Federal Bill introducing mandatory notification laws in Australia has finally been passed this week by both Houses of Parliament. In this special edition of CyberFiles we reflect on what this ‘watershed’ legislation will require and what it might mean for the insurance industry.
AND…WE’RE OFF! DATA BREACH NOTIFICATION BECOMES AUSTRALIAN LAW
Mandatory notification is now an Australian reality
The long awaited changes to the Privacy Act, implementing in Australia for the very first time mandatory data breach notification laws, are finally here.
Passed by both Houses of Parliament on Monday, the amendments represent a much-needed modernization of the laws dealing with privacy in this country and signal a new era of transparency and corporate responsibility when it comes to protecting individuals’ personal and sensitive information.
It also brings into sharp focus an important risk exposure, long discussed and currently underwritten by insurers in the Australian cyber insurance market: the regulatory, reputational and potential first and third party costs associated with data breach notifications.
So what does this mean for you?
In our Special Edition of Cyberfiles (published December 2015), we provided an analysis of the then current exposure draft Bill which was to be tabled before Parliament by the Coalition.
Whilst not dissimilar and still just as short (only 22 pages), the Bill that was actually passed this week (download here) contains some significant differences to the provisions that were found in the 2015 version.
So to help you navigate these new changes, below we have provided short explanations of some of the laws ‘highlights’ and our views on the impact they will likely have on the Aussie cyber insurance industry when they come into force:
Why are these changes needed?
The government’s general rationale is the laws needed to be changed to allow individuals whose personal information has been compromised to take “remedial steps” to avoid “potential adverse consequences”.
Translation: The introduction of mandatory notification will bring our laws into line with those of other first-world countries and drag serious Aussie breach events out of the shadows and into the light of public scrutiny for the very first time.
This means mitigation of potential third party claims exposures, increased regulatory costs and first party damage (e.g. reputation) should come into sharper focus for business.
Insureds should be encouraged to look more closely at available risk management and insurance solutions to offset these costs. For example, offers of credit monitoring and/or identity theft insurance (as in the United States) may with time become “standard” in the wake of a large breach event. Whilst most available cyber policies contain coverage of this type, scrutiny will no doubt be given to relevant limits and deductibles in light of this new development.
To whom do these new obligations apply?
Entities already regulated by the Privacy Act.
Translation: Organizations currently caught by the terms of the Act will be subject to the new notification requirements. This includes most federal government agencies, credit reporting agencies, credit providers and tax file number recipients.
Significantly for the private sector, the Act also generally applies to health service providers (regardless of whether that is their primary activity) and private sector organizations with an annual turnover of $3M or more.
When do these laws come into force?
The Bill will now be sent to the Governor-General to receive Royal Assent. It is expected the changes will come into force within the next 12 months.
Who needs to be notified?
The new obligations stipulate that an entity must prepare a statement (that complies with the Act) that must be given to both the Australian Privacy and Information Commissioner (‘Commissioner’) and each of the affected individuals.
Translation: There is no discretion or two-tiered system of notification (as in the EU and some U.S. states). Not only does the Regulator need to be informed but affected individuals as well.
This will mean cost, time and resources for insureds. It will make data breach events more public than ever before. No longer will it be possible for serious losses to ‘fly under the radar’. Reputation exposures, as well as the potential for increased first party notification costs and regulatory expenses (all typically covered by stand-alone cyber policies) therefore need to be carefully assessed by insureds.
How do you notify?
The statement must contain 4 prescribed pieces of information. These are:
- The identity and contact details of the entity
- A description of the breach that has occurred
- The kinds of information concerned
- Recommendations about the steps individuals can take in response to the breach.
The entity must then “take such steps as are reasonable” to notify the contents of that statement to each of the relevant individuals or individuals at risk (as well as giving a copy to the Commissioner).
If that is not possible, the entity must publish the statement on its website and take reasonable steps to publicize its contents.
Translation: The legislation incorporates a concept of ‘normality’ when it comes to how the prescribed notification statement is communicated to affected individuals.
If an entity “normally communicates” with a particular individual using a particular method (e.g. post, email, phone), the laws (thankfully) say that this ‘normal’ method can be used to satisfy the notification obligation.
When do you need to notify?
The timing of any notification depends on two issues:
- The notification must be given “as soon as practicable”; and
- It need only be made once the entity becomes aware that there are reasonable grounds to believe that there has been an “eligible data breach”
Translation: This new law allows for some flexibility when it comes to timing. It is not as strict as some. The EU for instance prescribes a 72 hour time limit for notification. Here, the notification must be given ‘as soon as practicable’.
The timing provisions also contain an element of objectivity, in that the entity must first have ‘reasonable grounds to believe’ there has been the requisite breach event. It is not triggered by a mere suspicion.
Another important trigger (see below) for the notification obligations is the concept of “eligible data breach”
What is an “eligible data breach”?
This definition is one of the major ‘gateways’ or triggers for the notification obligations. An eligible data breach occurs when there has been:
- unauthorized access or disclosure of personal information; and
- a reasonable person would conclude this is likely to result in ‘serious harm’ to the individuals to whom the information relates
- personal information is lost
- in circumstances where unauthorized access or disclosure is likely to occur; and
- (assuming unauthorized access/disclosure was to occur) a reasonable person would conclude this is likely to result in ‘serious harm’ to the individuals to whom the information relates.
Translation: This definition may need to be read a few times, but it is an improvement on the ‘thorny’ 2015 version in terms of its expression and practicality!
As a ‘trigger’, it imports some important legal thresholds:
- The objective ‘reasonable person’ test
- An assessment of the “likelihood’ of a certain result (i.e. that it is more probable than not)
- The concept of “serious harm” (see below).
Whilst each breach event will need to be assessed on its merits, these thresholds are designed to ensure that ‘minor’ breach events or events which relate to information that is unlikely to cause serious harm (e.g. where the information stolen is encrypted or ‘salted’) are not caught by the notification requirements.
This is a good thing for business, as it will minimize the compliance and administrative burden placed on insureds, as well as mitigate ‘notification fatigue’.
What is “serious harm”?
This is not defined, but the Explanatory Memorandum refers to it broadly to include serious physical, psychological, emotional, financial or reputational harm.
When is unauthorized access/disclosure likely (or not likely) to result in serious harm?
Whilst each event will need to be assessed on its own facts, the new law requires entities to have regard to the following when making this judgment:
- the kind of information involved;
- the sensitivity of that information;
- whether the information is protected by one or more security measures (e.g. encryption) and the likelihood this could be overcome;
- the kind of persons who may have obtained it;
- the security measures used to protect it
- the nature of the harm.
Translation: While it’s anticipated the Commissioner will publish updated guidelines to assist, each and every breach event will need to be evaluated against these requirements. The intention is to exclude minor breaches to minimize the compliance and administrative burden placed on insureds, as well as mitigate ‘notification fatigue’.
When writing this business, insurers will need to evaluate at proposal stage issues including:
- the types of information held by prospective insureds (e.g. financial details or Medicare numbers may pose a more serious risk of harm than simply names and addresses)
- the combinations of information held (eg names, addresses and dates of birth together might pose greater risks for identity theft than only one of these)
- the permanent nature of the information held (eg details difficult to change such as dates of birth are more of a risk than passwords which are easy to change)
- the sensitivity of the information held (eg children or those at societal risk
- the security measures the insured has in place to protect it,
and rate accordingly. Financial information is not the be-all and the end-all when it comes to ‘risk of serious harm’. Brokers and insureds should consider how best to protect their information assets from a risk management and premium-reducing point of view, and present their information assets to insurers in the best possible light.
NEW: Assessment obligation if “suspicion” of eligible data breach
The changes introduce another new obligation under the Act: to carry out a “reasonable and expeditious assessment” of whether there are reasonable grounds to believe that the circumstances amount to an eligible data breach.
This assessment obligation:
- arises if the entity is aware of reasonable grounds to suspect (but not believe) there may have been an eligible data breach; and
- must be completed within 30 days after becoming aware of that suspicion.
If after that assessment there:
- are reasonable grounds to believe there has been an eligible data breach:the entity must notify ‘as soon as practicable”
- are no such reasonable grounds:notification is not required.
Translation: This is a new, positive requirement. The 30 day time limitation is one of the few hard time limits introduced by these new laws.
However, there is breathing room. If after 30 days of investigation/assessment there are no reasonable grounds to believe an eligible data breach has occurred, the notification requirement is not triggered.
This impetus to investigate highlights the importance of insurer offerings that include the services of expert IT/forensic resources as part of their cyber insurance package. Quick access to these teams will no doubt play an important role in insureds’ decisions on whether to invest in cyber insurance.
Why it’s important to get on the front foot
If an entity:
- takes action in relation to a relevant unauthorized access/disclosure
- does so before it results in serious harm; and
- as a result of their action, a reasonable person would conclude it was not likely to result in serious harm
there is no “eligible data breach”.
Translation: Entities who take responsive and effective action before any serious harm arises (to individuals affected by a breach event) can avoid having to publically notify the breach event.
An example may be if a laptop containing personal information is left in the back of a taxi. It may not be necessary for the entity who lost that laptop to notify affected individuals and the Commissioner if it acts quickly to retrieve the laptop and satisfies itself that the information was not accessed (either by the taxi driver or anyone else) during the time it was lost.
This exception is included as a clear incentive for entities to take positive steps to mitigate a breach situation. It is therefore important that insured’s caught by these new requirements to review with rigor their current breach response plans and consider the value of the expertise cyber insurer claims teams bring to the table as part of their response resources.
What happens if you don’t comply?
Failure to comply is an interference with the privacy of an individual for the purposes of the Privacy Act.
Translation: Non-compliance engages the Commissioner’s broad powers to investigate, make determinations, seek enforceable undertakings and provide remedies (e.g. compensation awards) against insureds. Associated first party legal expenses and third party losses are usually covered by today’s cyber policies.
Civil penalties can also be sought by the Commissioner for ‘serious or repeated’ interferences with privacy. To date, we have not seen the OAIC run such a case, and would not expect to see one unless it was faced with the most flagrant disregard by an insured of its legal obligations. Many policies provide cover for such fines, but there may be little need for it in the present legal climate.
Where to now?
There is still time to prepare.
Insurers and brokers need to use this time to educate themselves on the machinations of these new requirements and the insurance and risk consequences it will have from both an underwriting and claims management perspective.
The analysis above simply touches on some of the highlights. Thankfully the OAIC has committed to working with industry over the next 12 months to provide written guidelines to help navigate these new provisions.
On balance, and compared to other laws around the globe, the changes represent a relatively simple, one-stop-shop notification procedure which balances the need for consumer protection (when ‘serious’ harm is likely to occur) against the added burden this extra legislative requirement will impose on larger business.
Insurance solutions will play an important role in this change. This is the opportunity many in our industry have been waiting for to re-focus clients on the value of cyber insurance solutions, and it’s one not to be wasted.
Until next time…
Special Counsel | Barry.Nilsson.’s Insurance & Health Group
Founding member of Elevista
If you have any questions concerning cyber risks and insurance please contact us.
Download business card
CyberFiles is brought to you by: