We’re joined today by Michael Pattison who heads up the Technology, Media and Telecommunications Group at Allens, and Michael thank you for joining us again on BRR Media.
Nice to be here again Kate.
Now Michael I understand the Privacy Commissioner released yesterday a new guide on how organisations should respond to data breaches. What does the guide cover?
Kate the guide addresses one of the most difficult issues that arises when an organisation is hacked or has another sort of data breach. Should the organisation notify the affected individuals that their personal information may have been compromised, and the significance of the guide is that data breaches are increasingly common. The Privacy Commissioner received notification of 56 data breaches last year, so that’s more than one a week, and I think it’s fair to assume that there are a lot more data breaches that weren’t in fact notified to the Privacy Commissioner. So there’s an increasing number of Privacy Commission – or privacy breaches and the question of what businesses should do when they face a privacy breach is going to be one that’s going to arise for a lot more businesses in the next 12 months.
The guide also covers some of the other issues, say if your business which have had a data breach, but I think it’s the Commissioner’s view on data notification that will be of most interest to the business community.
And what is the Commissioner’s view on data breach notification? Do all breaches need to be notified?
Kate the first thing it’s important to remember is that in Australia there’s no legal obligation to notify data breaches, the position’s different overseas in some places, particularly the European Union and some states in the United States. But in Australia there’s no legal obligation to do so. Pleasingly the Commissioner seems to have recognised that it’s impossible to impose or not appropriate to impose a general obligation to notify all breaches. He seems to recognise that if you have too many breaches being notified you can just lead to unnecessary anxiety on behalf of individuals about breaches that really don’t matter at all and perhaps people get desensitised. So the Commissioner’s calmed down and agreed that not all breaches need to be notified. On the other hand if there’s a – and the Commissioner uses the phrase real risk of serious harm, the Commissioner’s view is that individuals should be notified. And as always in between it depends, and you know I think this is going to be a really delicate balancing act for businesses when a data breach occurs to them, because sometimes to notify the breach might in fact jeopardise the investigation into the data breach resulting in the destruction of evidence for example, and other times it’s important to get out there and notify people so they can take appropriate corrective action, and the businesses will have to weigh up these particular considerations very carefully. I think if you don’t notify, so you have to think carefully well what is going to be the public relations impact if it’s eventually found out and becomes public that you’d had a data breach and you hadn’t notified the individuals. So businesses that chose not to notify and sometimes that is the right course, really do need to think about how they’re going to manage any fall out, if in fact that later becomes public that a breach occurred and they didn’t notify people of that fact.
Yes certainly. And Michael just looking at businesses and the guide, are they legally bound to comply with the new guide?
No the guide’s not legally binding, but it is important because it shows the approach that the Commissioner’s likely to take when a data breach occurs. And the guide states that many of its recommendations are highly recommended, and that probably means that businesses that chose not to comply with the steps stated in the guide are on notice that there will be questions asked if a data breach does occur. And there’s been a recommendation by the Law Reform Commission that the Privacy Act be amended to make data breach notifications mandatory. Now that would be a change in the law and it’s currently still under consideration by the Government, it’s been quite controversial, the Commissioner has stated that the operation of the guide could inform the Government’s response to the recommendations be made law. So it might be a bit of a hint by the Commissioner there that businesses either have the choice of complying with the guide voluntarily or having the law changed to make notification mandatory.
And Michael just finally you referred at the start to some of the other issues covered in the guide, can you just give me a quick summary of those other issues?
Sure the guide recommends that a four step response to data breaches. The first step is you have to contain the breach, and do a preliminary assessment of what damage has occurred, by containing the breach the guide means taking steps to stop the breach getting worse. And that might require at times shutting off websites, shutting down data systems, indeed may be even stopping doing business by a particular channel until you work out just how the data breach has occurred and that no further breaches are going to occur. So it’s a pretty serious steps that have to be taken, and that has to be done very quickly. The next step is to evaluate the risks to do with - for the breach and just work out what information was taken, how sensitive that information is, and how widely it’s been disseminated. Third steps is to decide whether or not to notify people that there’s been the data breach and the final step is of course to prevent further breaches occurring. And the guide’s got a lot of good practical advice on all of these four steps, particular recommendations that I think businesses should take note of is a recommendation that businesses develop proactively a data breach response plan, I think that’s quite a good idea. When data breach occurs a lots going to be going on, you’re going to have a lot of things to consider, you’re going to have think about your legal obligations, media relations, should you notify, who should you notify, what should you notify, what type of a protective reaction you should be taking. All of these things are a lot better having been thought about in the clear light of day, rather than being done on the run in response to a particular data breach.
Yes certainly, it makes sense to have a bit of a pre plan. Michael thank you so much for taking us through the new guide.
My pleasure Kate.
That was Michael Pattison, who heads up the Technology, Media and Telecommunications team at Allens. Now listeners of course if you have any questions for Michael send them through either using the panel on your screen or otherwise via email to email@example.com.