elevenM’s Piotr Debowski breaks down two recent privacy determinations by the privacy regulator, explains why the regulator is losing patience with untimely responses, and what this means for entities.
The Notifiable Data Breach (NDB) scheme has been in place for more than five years (since February 2018) and whilst the OAIC has received 1,748 notifications in the last two years alone, it hasn’t penalised any entity.
That is, until last month, when the OAIC released two determinations: Datateks Pty Ltd (Privacy)  AICmr 97 and Pacific Lutheran College (Privacy)  AICmr 98. This marks the first time the OAIC has investigated and made determinations about a failure to comply with the NDB scheme. Let’s look at what happened, some of the key findings, and what implications these determinations have.
What does the Notifiable Data Breach scheme require?
The NDB scheme applies to APP entities, credit providers, entities that trade in personal information and tax file number recipients (collectively referred to as entities in this blogpost) and sets out the following requirements:
- Where they ‘suspect’ that there may have been an eligible data breach (EDB):
- Carry out a ‘reasonable and expeditious’ assessment to determine whether there are reasonable grounds to ‘believe’ that an EDB has occurred.
- Take all ‘reasonable steps’ to ensure that this assessment occurs within 30 days.
- Where they ‘believe’ that an EDB has occurred:
- Notify the OAIC about the EDB in accordance with the prescribed form.
- Notify affected individuals directly or, where impracticable, take reasonable steps to publicise the contents of their notification (such as on their website).
We know that while these requirements are simple to list out, they are complex to comply with, and many entities struggle to meet them. But these two determinations demonstrate that the OAIC is getting serious with ‘try harder’ messaging and is starting to take enforcement action against entities that don’t comply.
Summary and key findings
In both Datateks and Pacific Lutheran College, the OAIC commenced an investigation under s 40(2) of the Privacy Act 1988 (Cth.). This came after the respondents notified the OAIC under the NDB scheme that one or more email accounts they used had been subject to unauthorised access by a malicious third party who then used the compromised email accounts to send phishing emails to contacts.
The OAIC investigated how the respondents handled their EDBs and:
- found that neither of them had complied with their obligations under NDB scheme;
- declared that this amounted to an interference with the privacy of individuals;
- ordered that the respondents prepare and implement an incident response plan, provide a copy of it to the OAIC, and in the case of Pacific Lutheran College also implement an information security program.
The determinations are informative because they demonstrate:
When an entity will be taken to have a ‘suspicion’ that an EDB may have occurred
The determinations illustrate when the OAIC considers that an entity should have had a ‘suspicion’ that an EDB may have occurred. This is important because having a suspicion triggers the requirement to carry out an assessment to determine whether that suspicion amounts to a ‘belief’. And if a belief exists, this triggers the other requirements under the NDB scheme (such notifying the OAIC and affected individuals).
The OAIC considers that an entity will have a suspicion when a ‘reasonable person’ in their position would have formed a suspicion. And they take the view that it doesn’t take a lot for a suspicion to arise.
In Pacific Lutheran College, the OAIC concluded that a reasonable person would have formed a suspicion when the IT team received two notifications that the email account had been compromised: one from another staff member who had received 3 phishing emails from the email account and another from Microsoft. Similarly, in Datateks, the OAIC looked at the fact that “recipients of the phishing emails reported these emails” to the respondent, the respondent then verified that the emails had in fact been sent from the email account, and that the emails contained a malicious link.
What amounts to a ‘reasonable’ and ‘expeditious’ assessment
Entities who have a suspicion that an EDB may have occurred have an obligation to carry out a ‘reasonable and expeditious’ assessment to determine whether there are reasonable grounds to believe that an EDB has occurred. ‘Reasonable steps’ have to be taken to ensure that this happens within 30 days of forming its suspicion.
These determinations illustrate what the OAIC does and does not consider ‘reasonable’ and ‘expeditious’. Entities must do more than merely:
- Identify the source or method of the data breach and contain it. They must also assess the personal information involved and the potential risk of harm that may follow. In Datateks, the respondent carried out a preliminary investigation immediately. However, the OAIC noted that this “appears to have been limited to containing the breach and a very basic assessment of possible attack vendors. This information is not in itself sufficient to make an assessment [of] whether there are reasonable grounds to suspect that there may have been an eligible data breach.”
- Engage a contractor or vendor to carry out or assist with an investigation. There needs to be: (a) clear and documented instructions, (b) an assigning of accountability, (c) monitoring of progress, and, most importantly, (d) an impression of the urgency of responding within a specific timeframe (ideally within the 30 day window). In Datateks, the OAIC noted that within the first 30 days, the respondent had “merely” engaged a cybersecurity specialist and legal representative and participated in an initial triage meeting. The OAIC also noted that “the investigation did not conclude until day 67. Even then, it is not clear that this step was anything more than an investigation into the mechanics behind the breach.” Similarly, in Pacific Lutheran College, the OAIC took into account the delays caused by the respondent, including: seeking a quote from two vendors and not impressing upon them the urgency of responding quickly (resulting in quotes being submitted 5 and 11 days later), the respondent determining that the quotes were too high and seeking a third quote, and the respondent not imposing specific deadlines on the investigator once appointed.
What’s the takeaway?
If there is only one message you take from these determinations, it should be the importance of having a well-considered and regularly tested Data Breach Response Plan in place. Neither respondent to these determinations had one in place. If they had, they would likely have been more conscious of the need to act with urgency and efficiency, and it may have prevented them from being subject to regulatory action. The OAIC has published some useful guidance on Preparing a Data Breach Response Plan as well as on how to Respond to a Data Breach and entities’ obligations under the NDB scheme.
If you’re interested in learning more about how to develop and implement a data breach response plan, contact us at hello@elevenM.com.au or on 1300 003 922.