Data breach law: primary concern is information security, says expert

Helaine Leggat, director of Melbourne firm Information Legal, told iTWire during an interview that cyber security was, by far, the greatest threat to smaller Australian businesses, "and while big business generally responds well, a chain is only as strong as its weakest link, with the result that vulnerabilities in smaller businesses impact upon the entire Australian economy. Smaller businesses must do their part".

Leggat is one of the few people globally to hold a law degree along with with CISSP, CISM, CIPP/US and CIPT credentials.

She has specialised in information (cyber) law, information security, information governance and information privacy since 2000 and has provided services to public and private sector organisations globally across all sectors. She has a CV that would be the envy of anyone in any field.

{loadposition sam08}Leggat describes the company she founded as "a uniquely differentiated risk and advisory service founded on a belief that cyber law is empowering and that it is essential to know your rights".

She said it would be helpful to understand the main issue and the purpose behind the data breach law: that personal information is valuable and sensitive and the law required it be handled in a particular way.

She was interviewed by email.

iTWire: One would imagine that panic stations is setting in in many a small company which crosses that $3 million revenue mark. Is this your experience?

Helaine Leggat: The vast majority (over nine in ten) of Australian businesses are small businesses. They account for 33% of Australia’s GDP, employ over 40% of Australia’s workforce, and pay around 12% cent of total company tax revenue.

I do not have statistics on how many of these meet the $3 million revenue threshold, meaning that they must comply with the Privacy Act (Commonwealth) 1988 (Act), but presumably it is a fair number. In my experience, there is little knowledge of the amendments to the Act, which require breaches to be reported.

I see no panic. To be fair, I think this is not complacency, it is simply that smaller businesses do not know what is required, and if they do, they have little idea of what to do. Even big organisations are struggling.

Aside from smaller businesses that must comply, the fact of the matter is that some of Australia’s best and most innovative businesses do not need to comply with the Act because they currently fall under the applicability threshold.

However, these and many smaller businesses are processing massive amounts of personal information for big businesses that must comply. Think for example, about value-added services (SaaS) built on cloud technologies, where Tier 1 Company X engages Small Company Y to process PI, on solutions built, for example on Amazon Web Services. This is the reality of data privacy processing.

What I have seen over the last five years is big business imposing its own compliance obligations onto smaller businesses. This is a silly situation because the legislature, in its wisdom, sought to exclude smaller businesses from the onerous obligations of compliance – something that comes with a high cost in financial, human, ICT and other resources.

I have seen numerous contracts drafted by lawyers for big business include provisions that smaller service providers must comply with Australian and international privacy law. This heavy-handed approach is not helpful. I think it is better to look for practical solutions.

If one actually reads the provisions and applies them to the facts of the service involved (the processing and flow of PI), it is relatively easy to comply and to manage risk, by paying attention to what matters, and discarding unnecessary contingencies.

Under the amendment to the Act, notification is necessary where there is interference with the privacy of an individual resulting from unauthorised access or disclosure, and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates.

It is helpful to understand the core issue and purpose of the legislation: PI is valuable and sensitive. Law requires that it is handled in a particular way.

This means that any business, big or small, needs firstly to know what PI it has. Secondly, businesses need to examine their business processes to establish how and where PI is processed. At a basic level, it boils down to managing legal and other risk in relation to (i) external situations, and (ii) internal situations.

Once this is understood, the next steps are easy: tell people what you will do, and then do what you told them you would do. It is not dissimilar from principles in consumer law that prohibit misleading and deceptive conduct. Record-keeping and the ability to provide evidence will be key to staying out of trouble.

Legally, this is expressed in the requirement that businesses must have (i) clearly expressed and up-to-date policies, and (ii) establish and maintain internal practices, procedures and systems that ensure compliance.

From my perspective, the primary concern is information security, because without security, the protection of PI is not possible. Cyber security is, by far, the greatest threat to smaller Australian businesses, and while big business generally responds well, a chain is only as strong as its weakest link, with the result that vulnerabilities in smaller business impact upon the entire Australian economy. Smaller businesses must do their part.

Australian companies will have a much longer time than their European counterparts to notify the authorities of a data breach. I think it is something like 90 days versus seven days for the EU. Do you think a longer
or shorter period is good?

It is not true that Australian companies will have a much longer time than their European counterparts to notify data breaches. The Act does not specify a minimum time for notification, but it requires notification “as soon as practicable” after the completion of the preparation of the statement after an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (Section 26WL).

Under the European Union General Data Protection Regulation (Regulation (EU) 2016/679) Article 33 (Notification of a personal data breach to the supervisory authority) requires that in the case of a breach, the controller must “without delay” and, where feasible, not later than 72 hours after having become aware of it, notify the breach to the supervisory authority.

I interpret “as soon as practicable” as equivalent to “without delay”. The fact that the Act does not stipulate a time allowed does not mean Australian businesses have more time. We will see in due course how the courts interpret this provision, but I would caution directors to be mindful of their duties in relation to due diligence and due care under the Corporations Act 2001.

The issue of timing is important because the purpose of breach notification is to prevent or limit harm to individuals. The sooner individuals (and authorities) know that there has been a breach, the sooner they can act to protect themselves.

The issue of timing is one of fact; when does a business know that there has been a breach that triggers notification? There are numerous examples including the infamous Stuxnet worm where malware is designed not to be detected, and where networks have been breached and under surveillance for years on end, without the organisation knowing it.

The Act has a realistic and practical provision in that it recognises situations where a breach is “suspected” and allows for a 30-day assessment period of the situation. It also recognises remedial action taken before access, disclosure or loss results in serious harm to the individuals concerned. This 30-day assessment period must not be confused with the requirement to report.

While this is a practical approach, it does not detract from the purpose that individuals should be able to take action to protect themselves as soon as possible. The trigger to report is when the business is “aware of reasonable grounds to believe” an eligible data breach has occurred, and then it is obligated to promptly notify individuals (and the Privacy Commissioner) at likely risk of serious harm.

How long do you think it will be before some politician or the other starts whinging that this law is adding to business costs and that the threshold - $3 million - is far too low?

Personal information is only one kind of information that the law affords protection. Other protected information includes privileged, confidential and secret information, intellectual property, privacy and so on. The protection afforded is based on the fact that societies consider this information deserving of protection based on historical, cultural, economic, security and other grounds. Governments are voted into power based on policy positions, and these positions are reflected in legislation.

The Act was promulgated in 1988 and has seen several amendments, passed by various governments, both Labor and Liberal, since then. During this time, because of the internet, privacy and personal information have become more and more important.

In a democratic society, the relationship between a government and its people often boils down to trust. As individuals, we give up some of our freedoms, like privacy, for protection by the government in power acting for the state (national security and law enforcement). This culminates in a tension between privacy and security, because in an Internet society security often depends upon surveillance. Politicians understand the need to find a balance, and I believe that Australian politicians, like businesses and individuals wish to work together for Australian society as a whole.

Laws are just rules that govern behaviour within a particular society, time, place and context. All laws come at a cost – a cost to enforce and a cost to comply. Personally, I am sympathetic to all businesses that need to manage privacy law compliance, when their real business is making widgets or mining ore, but the thing is, doing these things involves people and people need protection.

As regards the $3 million turnover threshold, there are arguments that it is too high and that it is too low. While it is not possible to legislate fairly for every situation, I encourage businesses to see privacy and PI, well handled, as a sustainable competitive advantage. I support a risk-based approach where businesses can manage their preferred level of compliance, organisational maturity, risk appetite and budgetary constraints, remembering that entities that build customer trust reduce customer churn. Similarly, politicians who have the trust of citizens are likely to win votes.

How come no politicians or even the media have said much about the data breach law in the last few months?

I would put this down to the fact that the matter of breach notification is finally settled in Australia, bringing it in line with the rest of the world. Mandatory (“notifiable”) data breach reporting has taken five years to become law in Australia. Its history is:

• June 2013: Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill) which introduced the concept of “serious data breach” was introduced to the Senate.
• November 2013: Privacy Amendment (Privacy Alerts) Bill 2013 Bill lapsed at the end of Parliament
• December 2015: The Australian Government released draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (2015 Bill) for public submission. Nothing came of this, and the Bill was replaced by the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
• October 2016: The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (2016 Bill) was introduced into the Australian Parliament.
• February 2017: The 2016 Bill was passed on 13 February 2017 and became the Privacy Amendment (Notifiable Data Breaches) Act 2017.
• 22 February 2018: The Privacy Amendment (Notifiable Data Breaches) Act 2017 commences.

It is time to do, not just debate.

As you pointed out to me at the RSA seminar, many shonky legal outfits will be rubbing their hands in anticipation of making some moolah by offering their "services" to those for advice at the last minute. How does one guard against this?

I don’t use terminology like “shonky legal outfits” or “making some moolah”. I have the highest respect for the legal profession and my colleagues in it. I have worked hard to transfer my foreign law degree and will be admitted into legal practice as an Australian solicitor this month.

What I personally am not a fan of is class action lawsuits (the ambulance-chasing contingency cases). I nevertheless recognise the right of legal practitioners to offer such services, and the right of individuals to have them. In some circumstances — and I cite the survivors of Victoria’s devastating 2009 Black Saturday bushfires who secured a $500 million payout in the biggest class action settlement in Australian legal history — they serve an important and equitable purpose.

And finally, with the breach law in place, will the public really get to know about more data breaches than they do at present? Or will things mostly be "adjusted" so as not to make anyone lose face?

I believe that the notifiable data breach amendment will improve individual and public awareness of their rights and protections, and through that individuals should be better positioned to enforce their rights and protections.

That said, the amendment does not provide additional rights — except for the inclusion of tax file recipients — it caters for breach notification of pre-existing rights. This is different from the GDPR which recognises specific additional rights, including the right of reasonable access to enforcement.

The Australian public should be aware that Australian privacy law is not regarded as adequate by EU standards, even after 22 February when the amendment comes into force.

I think the power of privacy law lies ultimately in the hands of individuals, be it in class action lawsuits or the power of social media chatter; from a business perspective, the amendment seeks to enforce responsibility and accountability. All businesses should take privacy seriously. Directors and officers can be personally liable.