Names, addresses and lonely hearts: Managing personal information security breaches in accordance with the Privacy Act 1988 (Cth)

In January 2014, Cupid Media Pty Ltd (Cupid Media), the operator of 35 dating websites, fell victim to hackers who managed to steal the personal information of around 254,000 Australian Cupid site customers (that is not including its overseas customers!).  The information the hackers managed to gain access to included the full names of customers, their dates of birth, email addresses and passwords.  Subsequently, the Australian Privacy Commissioner found that Cupid Media had breached the Privacy Act 1988 (Cth) by failing to take reasonable steps to secure the personal information held on its websites.

Although Cupid Media was commended by the Commissioner for working co-operatively with the Office of the Australian Information Commissioner (OAIC) and for taking steps to manage the breach, Cupid Media’s experience highlights the importance of entities understanding and complying with their obligations under the Australian Privacy Principle 11 (APP 11).

What is my entity required to do?

Generally, entities have obligations to put in place reasonable security safeguards and to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.  In real terms what this means is that entities should have in place practices and procedures – such as a data breach policy and response plan – to deal with security issues as and when they arise.

The most crucial consideration for an entity when dealing with a personal information data breach is to determine whether it should notify anyone of the breach

There’s a security breach! How should my entity respond?

Step One: Contain and Assess

This initial step requires a fairly common sense exercise.  In the first instance, upon a breach occurring, an entity should take steps to contain the breach.  This may be achieved by shutting down a particular system or withdrawing access to equipment or a network.  Secondly, the entity should carry out a preliminary assessment, whereby an individual with decision making power considers the personal information at risk, the cause of the breach, the harm that may be caused and who may need to be notified immediately

Step Two: Evaluate risks

Following that initial assessment, entities should undertake a more detailed consideration of:

  • The type of personal information involved: For instance, the release of certain information may be more likely to harm an individual than the release other information (such as a party’s Medicare number, driver’s licence number, health information and financial details as compared to the mere release of a name and / or address).
    • Context of breach and extent of breach: The nature of the entity’s response will depend on who was exposed to the personal information, the number of people exposed to the information, whether the information was lost or breached as a result of illegal activity and whether the breach was the result of an ongoing problem or an isolated event.
    • Assess harm: This assessment should be two fold – considering the potential harm to the affected individuals and the harm to the entity.  A breach with respect to an individual could result in identity theft, financial loss, threats to physical safety, loss of commercial opportunities and / or damage to reputation.  On the flipside, if the entity does not manage the breach effectively, it could be exposed to loss of public trust, reputational damage, financial exposure, regulatory penalties and legal liability.

Step Three: Does my entity need to issue a notification(s)?

The third step is the most important step for entities – the entity needs to consider whether notification is appropriate in the first instance, who should be notified, when and how notification should occur and what information should be in the notification.  The key consideration to bear in mind when making this call is could the breach create a real risk of serious harm to the affected individual(s)? If the answer is yes, the affected individuals should be notified as soon as possible.

It may be appropriate for your entity to notify other parties – such as the OAIC, the police or insurers.  Entities are likely to receive far more favourable treatment if they notify and fully inform the OAIC of the breach in the first instance.

Step four: Preventing future breaches   

The final step in responding to a breach is for the applicable entity to consider the cause of the breach and to develop an effective prevention/response plan and procedures.  Ideally, entities should already have a prevention/response plan and procedures in place in order to ensure they are complying with APP 11.

A response plan would address matters such as the contact details of staff involved in dealing with privacy issues, their roles and responsibilities, the processes to be implemented to contain breaches and to investigate breaches and when and how external parties may need to be informed of and / or brought in to assist with breaches.

Depending on the size of your entity, it may also be appropriate to set up a permanent breach response team, composed of employees who would be engaged in investigating a breach and making decisions on how to manage the breach (such as IT, legal and human resources management). 

Lavan Legal comment

If your entity fails to manage a breach effectively, it may have a complaint lodged about it with the OAIC or the OAIC may decide to initiate its own investigation into the breach.  The OAIC has wide ranging powers to deal with such breaches, including requiring entities to pay compensation, to enter into undertakings and to seek civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

It is important that your entity has in place an appropriate security system and policies and procedures to protect the personal information it holds and to manage any security breaches that may arise.  If your entity requires assistance in developing an internal system for preventing and/or managing security breaches, please contact Iain Freeman.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.