Determining an 'eligible data breach'

Two recent decisions delivered by the Privacy Commissioner have emphasised the need for organisations to undertake an expeditious assessment of data breaches to determine whether an 'eligible data breach' occurred. An organisation's investigation should consider whether:

• there has been unauthorised access to, or disclosure of, personal information (or loss of personal information that is likely to result in unauthorised access to, or disclosure of, personal information); and
• a reasonable person would conclude that the access or disclosure of such personal information would be likely to result in serious harm to any of the individuals to whom the information relates.

In Pacific Lutheran College (Privacy) [2023] AICmr 98, an email account of the operator of an independent private school was compromised by an unauthorised access by an unidentified third party and used to send phishing emails to over 8,000 email contacts. The compromised account included personal information of a number of individuals, including financial details, tax file numbers, identity information and contact information. It was the ordinary practice of the user of the email account to collect the following types of information as an ordinary part of their role:

• information regarding parents and guardians, including birth certificate, credit card details; Medicare card details; Centrelink Customer Reference Number;
• information regard students, including name, address, date of birth and medical information; and
• information regarding staff, including Tax File Numbers

In Datateks Pty Ltd (Privacy) [2023] AiCmr 97, Datateks (a company involved in building, operating and maintaining communications networks and infrastructure services) identified that three email accounts (including a general email account) had been subject to unauthorised access by a third party and used to carry out a phishing campaign. It was a routine practice at Datateks to hold personal information in email accounts, including individuals' date of birth, credit card information, bank account details, superannuation information, drivers licence, birth certificate, working with children check, Medicare details and Tax File Numbers.

Why timing is everything following a data breach

In both of these cases, the Privacy Commissioner held that at the time each entity became aware of the events (in both cases, within 24 hours of the unauthorised access), there was sufficient information for the entities to reasonably suspect that:

• there had been unauthorised access to personal information; and
• unauthorised access to the types of personal information held in the email accounts would likely result in serious harm to the individuals to whom the information related. The types of harm identified by the Privacy Commissioner included serious financial harm, identity theft and fraud.

Section 26WH of the Privacy Act provides that where an entity has reasonable grounds to suspect that there has been an eligible data breach, but the entity does not have reasonable grounds to believe that the circumstances amount to an eligible data breach, the entity must undertake a reasonable and expeditious assessment of the incident to establish whether they can form the requisite belief.

Critically, section 26WH(2)(b) states that the entity must take all reasonable steps to ensure the assessment is completed within 30 days of forming the suspicion (i.e. within 30 days of becoming aware of the incident). Once the entity has formed a reasonable belief that an eligible data breach has occurred, it must as soon as practicable, notify the Privacy Commissioner (by way of a statement that complies with the requirements of section 26WK(3)(d) of the Privacy Act). The Privacy Commissioner found that neither of these steps had been complied with in either of these matters.

In the Pacific Lutheran College matter, there was a delay in engaging solicitors and a forensic investigator; a lengthy period of time for the forensic investigator to complete their assessment of the incident (which initially focussed on the technical nature of the breach, not whether personal information was affected and the likely risk of serious harm to the individuals); and a further delay, after a reasonable belief had been formed, in notifying the Privacy Commissioner. In total, 200 days elapsed between the college first becoming aware of the incident, and lodging the required notice with the Privacy Commissioner.

In the Datateks matter, there were also delays in engaging cyber security experts to undertake an investigation; a failure of the preliminary investigation to identify what personal information had been compromised and the risk of serious harm to individuals; and a further delay once a reasonable belief in making the required notification to the Privacy Commissioner. In total, 206 days elapsed between Datateks becoming aware of the incident, and lodging the required notice with the Privacy Commissioner.

In both matters, the Privacy Commissioner established the respondents had:

• failed to conduct an assessment of the incidents in an expeditious manner and to take all reasonable steps to complete the assessment within 30 days, in breach of section 26WH(2); and
• failed to notify the Privacy Commissioner as soon as reasonably practicable that an eligible data breach had occurred, in breach of section 26WK(2),
  and made declarations under section 52 of the Privacy Act, that, amongst other things, require Pacific Lutheran and Datateks to engage in specific steps to ensure that the same conduct is not repeated or continued in the future.

Notably, the Privacy Commissioner also made declarations requiring both Pacific Lutheran College and Datateks to develop privacy data breach response plans (specifying the matters to be included in the plans), as well as a range of improvements to their existing IT security arrangements, to ensure compliance with Australian Privacy Principle 11 (relating to the security of personal information).

A robust approach to investigating data breaches

The determinations above reflect views expressed by the Privacy Commissioner in her most recent half-yearly report on notifiable data breaches regarding delays in reporting breaches. In the report, the Commissioner confirmed that organisations that suffer a cyber incident should assume a data breach has occurred, even if it is not possible to conclusively determine from forensic investigations whether personal information has been exfiltrated, outlined in the Commissioner's report on the OAIC website.

It is noteworthy that on Friday 3 November 2023, the Privacy Commissioner announced she had launched legal proceedings against another entity, Australian Clinical Labs Ltd, seeking civil penalties in relation to similar alleged failures (that is, failure to carry out a reasonable assessment as to whether a breach was an eligible data breach, and failing to notify the Privacy Commissioner as soon as practicable). This has clearly become a critical area of focus for the OAIC.

Finally, the proposed reforms to the Privacy Act, if implemented as currently proposed, would see the time for notification to the Privacy Commissioner significantly reduced, to 72 hours from the time of becoming aware of an incident, to align with other Australian regulatory and global privacy notification regimes, and placing further pressure on organisations to ensure they have efficient and effective data breach notification systems and processes in place.
These determinations serve as an important reminder for organisations to ensure they have prepared, updated and tested a robust data breach response plan, so they can act expeditiously in the event of a data breach. It is important to ensure that any response meets the requirements to contain a breach from a technical perspective as well as to ensure that regulatory obligations, including those arising under the Privacy Act are met.

Next steps

Combining our legal and technology consulting expertise, MinterEllison integrates the legal and non-legal aspects of cyber risk, privacy, data protection, and regulatory compliance.

If your organisation holds concerns about the adequacy of its preparation for a data breach, the MinterEllison Cyber security team can assist. Find out more about how we work with our clients to devise optimal solutions for their business.