Leo Cussen Centre for Law31 July 2015

Dealing with Data Breaches – Key considerations Eugene FooDeputy General CounselGE Capitaleugene.foo@ge.com(03) 8807 6970

Disclaimer

This presentation provides general information only. The information contained in this presentation does not constitute legal advice and should not be relied upon as such. The views contained in this presentation represents the personal views of the author and does not represent the views of GE Capital.

Agenda

• Privacy Breaches

• Framework for Privacy Compliance

• Current Regime

• Mandatory Breach Regime

• Q&A

Privacy Breaches

Privacy Breaches

• Examples of breaches increasing in the marketplace

• Department of Immigration and Border Protection• Data breach involving the personal information

(PI) of 10,000 asylum seekers• Own motion investigation by the OAIC

• Woolworths• Accidental data leak involving thousands of

customer’s PI and over 8000 gift card codes worth $1.3M

• Unprotected spreadsheet sent to over 1000 customers

• Leading to unauthorised usage of card codes

Privacy Breaches

• Ashley Madison• Malicious hacking affecting 37 million user’s PI

and compromising the company's user databases, financial records and other proprietary information

• Specific demands for closure of sites by hackers

• Medibank Health Solutions• Eye test records and PI of ADF personnel sent

to overseas jurisdictions including China in breach of contract by contractor, Luxottica Retail Australia.

• Contractor’s agreement with MHS was terminated

Framework for Privacy Compliance

Framework for Privacy Compliance• OAIC’s Privacy Management Framework

• Breach notification processes part of a holistic privacy compliance program

• Step 1: Embed: a culture of privacy compliance• Commitment to privacy compliance – PI, a

valuable business asset to be respected, managed and protected

• Understand key obligations - APP 11, 20Q and 21S of the Privacy Act for CRBs and CPs, TFN Rules if handling TFN

• Appoint key roles and responsibilities for privacy management, e.g. appoint a Privacy Officer or specialist team

Framework for Privacy Compliance• ‘Privacy by design’ approach, considered across

the entire information life cycle and in all business processes and projects – Privacy Impact Assessment

• Adopt a ‘privacy by design’ approach, privacy is considered across the entire information life cycle and in all business processes and projects (PIA)

• Step 2: Establish: robust and effective privacy practices, procedures and systems

• Must be throughout information lifecycle, timely destruction and de-identification can be key

• Effective training, escalation and risk management processes

Framework for Privacy Compliance• Step 3: Evaluate: your privacy practices,

procedures and systems to ensure continued effectiveness• Regular review and monitoring of privacy

compliance framework• And product change process need to include

review of privacy policies and notice to ensure compliance

• Feedback from customers and staff

• Step 4: Enhance: your response to privacy issues• External review to identify areas for improvement• Monitor for and address new security risks and

threats

Current Regime

Current Regime

• OAICs’ Data breach notification — A guide to handling personal information security breaches• Data breaches not limited to malicious actions

(theft or ‘hacking’), but can also arise from internal errors or failure to follow policies and procedures

• Current breach notification regime is ‘voluntary’• But OAIC’s expectation is to notify if there is a

‘real risk of serious harm’ as a result of a data breach

• ‘Real’ cannot be remote, there must be ‘a reasonable degree of likelihood’, ‘real and substantial danger’ and ‘a real and substantial risk’

• Reasonable steps may include a data breach policy and response plan

Current Regime• Key challenge is determining if and when to notify

• Speed is important, act quickly to contain the data breach

• Things that can be crucial:• Establishment of a breach response team - with

representatives from relevant areas to investigate, conduct risk assessments and make decisions / take action (e.g. senior management, IT, public relations and legal)

• Internal communication and training – staff are trained to identify a data breach, are trained to respond and are aware of relevant policies and procedures

Four key steps to consider in response:• Step 1: Contain the breach and do a preliminary

assessment• Step 2: Evaluate the risks associated with the breach• Step 3: Notification• Step 4: Prevent future breaches

Current RegimeFour key steps to consider in response:• Step 1: Contain the breach and do a preliminary

assessment• Stop the unauthorised practice, recover the

records, or shut down compromised • Scope of breach, impact on customer

• Step 2: Evaluate the risks associated with the breach• ‘The type of personal information involved• The context of the affected information and

the breach• The cause and extent of the breach• The risk of serious harm to the affected

individuals• The risk of other harms – reputational,

financial, loss of assets etc

Current RegimeFour key steps to consider in response:• Step 3: Notification• Notify or not, is it appropriate in the

circumstances – is there a ‘real risk of serious harm’?

• When and how, who should be notified (customer, anyone else? OAIC?)

• What information should be included in the notification

• Need to check and verify remediation / notification

• Step 4: Prevent future breaches• Audit and review of processes and procedure• Important to close loop and fix any deficient

processes or procedures• Also need to check and verify remediation

Current Regime• General tips

• Speed: take each situation seriously and move quickly to contain and assess the suspected breach

• Be on guard: breaches can initially seem immaterial but may be significant when their full implications are assessed

• Parallel processing: APP entities should undertake steps 1, 2 and 3 either simultaneously or in quick succession. It may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs

• Case by case: the decision on how to respond should be made on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. There may be take additional steps required

Mandatory Breach Reporting

Mandatory Breach Reporting• No Mandatory Breach Reporting Bill has not

been introduced into Parliament yet

• Government has committed to end of 2015 timing

• Possible scope: public and private sectors - APP entities

• Threshold for notification:• One possible approach could be based on

the current standard of ‘serious risk of harm’

• Ease transition for APP entities already complying with OAIC’s Data Breach guidelines

Mandatory Breach Reporting• Other issues:• Time for implementation – APP entities

require sufficient time to properly implement

• Proper consultation• OAIC guidance• Safe harbour for malicious hacking (APP

11)?• Form of notification to consumers• Form of notification to the OAIC• Technology neutrality important

Q & A

Q & A

Any Questions?