For several months I had reserved this issue of the Unimutual Update for a special announcement on the topic of cyber-crime.  By my calculations a very important event in the regulation of data breaches was scheduled to take place in late November 2016 and I had hoped that the Mutual would be one of the first to announce this significant change to the Membership.  That plan did not work out.  In this issue of The Update, I had planned to announce the passing of Australia’s first mandatory data breach Bill, as I expected it to rapidly be adopted by the Parliament, by the time of this writing.

Why is this piece of regulation so important?  Members will be very familiar with the concept of data breaches and the loss of private data.  These breaches can occur from many sources, and the news is frequently full of stories about massive losses of personal data affecting companies.  In 2016 alone we saw that US Healthcare provider Centene lose the records of 95,000 of its clients by misplacing important hard drives.  Some of the more interesting data breaches this year included the US FBI, where hackers stole the personal records of an estimated 20,000 FBI employees and posted much of that information on the Internet.  Of course one of the most troubling data breach stories of 2016 regarded, a hacker called Peace who posted data on the dark web to sell, which allegedly included information on 167 million LinkedIn accounts and, in the following week, he offered for sale 360 million emails and passwords of MySpace users.

Many of us who regularly attend Australian cyber-crime conferences have grown quite familiar with the fact that much of the hard data about the cost and impact of cyber-crime comes from US sources.  This is not to say that the US an excessive hotbed of cyber-crime, although it very well may be, but the reason we know so much about data breach incidents in the US, and other jurisdictions, is that there are laws which make disclosure of such cyber-crime events mandatory.  Such laws, from a risk perspective, have been instrumental in informing the public of the size and extent of data breaches and has been a driving factor of the interest in cyber security.  These high profile stories certainly impact reputation as well.

In Australia, such stories are relatively rare.  Experts tell us that is not because Australian IT systems are especially well designed to protect against cyber-crime, but more due to the fact that it is not required to report incidents data breaches to any regulatory body.  These losses could be kept “in the tent”.  That lack of information about data breaches in Australia is about to end.

In Australia, the issue of mandatory reporting has been under consideration for quite a while, at least dating back to 2008.  The current Bill, which I had planned to write about, addresses the issue of mandatory reporting of serious personal data breaches.  The information about the Bill can be found https://www.ag.gov.au/consultations/pages/serious-data-breach-notification.aspx including public submissions and comments.  The site includes the December 2015 Attorney General’s discussion paper.  The Bill itself was scheduled to be tabled during the last week of November, however, due to an interruption in the schedule of Federal Parliament as a result of the actions of pro-refugee protestors who succeeded in disrupting the House of Representatives, the Bill will have to wait until the next session in 2017.  In general, the Bill is designed to become an extension of the Privacy Act, and regards businesses with over $3 million in annual turnover.  It regulates the actions an organisation must take when it has discovered a data breach which includes customer/client personal information.  Examples of such personal information includes personal details, credit information, medical information, tax file information, etc.

The Bill recognises two different ways personal or private data can be “breached”.  Firstly, as you might expect from the examples above, the data is breached as a result of some unauthorised access to the organisations’ databases.  This could be the result of a hacker, phisher, or other cyber-criminal, working from the outside and successfully breaching the organisations IT defences.  I assume this will also include acts of employees, who commit cyber-crimes from inside of the organisation, which is quite common.  The second situation regards the simple losing or misplacing of the data itself.  This could include the loss of a laptop or a data storage device such as an external hard drive or USD storage device, which contain personal information of staff or clients.

While we will not know the details until the law is passed, we can make some assumptions about the post-event responsibilities of entities which have lost personal data.  A reportable incident will be one where a reasonable person would conclude that the breach could result in serious harm to the individuals whose data was released.  This could also include overseas disclosures, whereby, through the actions of a third party, for example a cloud provider located in a different country, experiences a data breach and has released your data.

When the law comes in to effect, we expect to see that in cases where Members who have discovered a serious data breach will have to:

• Notify the appropriate regulator or the Privacy Commissioner. We anticipate that this need not happen as soon as the loss is discovered, as there will be a provision for a period of 30 days to assess whether the data breach is serious and notification is required.
• If the breach is serious, the entity must notify all each affected individuals whose personal data has been released, using whatever channels they normally use (such as email, post, phone, etc.)  to inform them their personal details have been taken.
• If individual notification is not possible, the entity will be required to publish a notice about the data breach on their website, in social media or via print media.

Of course there will be exceptions and this article is not legal advice, but is designed to inform Members of the pending legislation and its impact on the higher education sector.  It is possible the Bill will change as part of the approval process, but all Unimutual Members should be aware of the upcoming notification requirements.  It is almost certain that the holder of the lost or hacked data, will be required to provide information about the breach, and take steps on behalf of the affected individuals to ensure that any impact from the breach is minimised.  This could including giving the advice of how to reduce the possibility of identity theft, fraud or other potential losses related to the breach.

Of course there will be costs associated with such data breaches in the future.  If the US experience is any guide, the notification of individuals who have had their data released is an expensive prospect, especially if large numbers of individuals have been affected.  This notification requirement and its associated costs has been a driver of the purchase of cyber-crime insurance, a policy which is currently provided to Unimutual Members.  The Mutual will continue to track this pending legislation and keep Members informed.