Super or superficial? Data breach exposes cracks

Cyber Security Legal Framework

The Privacy Act 1988 (Cth) (Privacy Act) was introduced for the very purpose of protecting the privacy of individuals. This necessarily includes the security with which their information is held. The Privacy Act regulates how Australian agencies and organisations with an annual turnover of more than $3 million are required to deal with personal information.³

The Privacy Act provides 13 Australian Privacy Principles (APPs) that apply to regulated agencies and organisations (APP Entities). The APPs include, but are not limited to:⁴

• APP 1 aims to ensure that APP Entities manage personal information in an open and transparent way. For example, it mandates that an APP entity has a clearly up to date policy about the management of personal information by that entity.
• APP 3 deals with the collection of solicited personal information. It dictates that an APP Entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities. Further, an APP entity is not permitted to collect sensitive information unless the individual consents, and the information is reasonably necessary for one or more of the entity’s functions or activities unless an exception applies. Sensitive information includes, but is not limited to, health data, financial data, banking details and tax file numbers.
• APP 11 states that if an APP entity hold personal information, they must take steps as are reasonable in the circumstances to protect the information:
  • from misuse, interference, and loss; and
  • from unauthorised access, modification or disclosure

On 29 November 2024, Australia introduced its first standalone cyber security legislation when the Cyber Security Act 2024 (Cth) (Cyber Security Act) received Royal Assent. The Act seeks to bridge the pre-existing legislative gaps by including the following key measures:

• mandates minimum cyber security standards for smart devices;
• introduces a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments;
• introduced a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents; and
• established a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

In effect, the Privacy Act governs how personal and sensitive information should be collected, managed, and used by APP Entities. The Cyber Security Act, on the other hand, specifically targets cyber security, mandating minimum standards to ensure breaches don’t occur, and providing next steps if they do. As such, both the Privacy Act and the Cyber Security Act work together to ensure that personal information is protected.

Adequate Measures

Notwithstanding Australia’s recent reforms to the cyber security and privacy framework, it is evident that data breaches are still occurring at a rapid rate in the age of digitalisation. When queried about the superannuation leak while on his campaign trail, Prime Minister Albanese said he had been briefed but to,

“Bear in mind the context here – there is a cyberattack in Australia about every six minutes.”⁵

As such, is it more important than ever that both Government bodies and private entities have adequate procedures and measures in place to protect its member’s identity in the unfortunate event of a data breach.

It is recommended that all entities have a data response plan which outlines the roles and responsibilities in managing the breach and the steps to be taken in order to mitigate the impact of the breach.

Responding to a Data Breach

Even if a response plan is in place, according to the Office of the Australian Information Commissioner (OAIC), there are four key steps that should be taken following a data breach:⁶

While the gravity and impact of each data breach should be considered on a case-by-case basis, each data breach (or suspected breach) should be treated seriously and with steps 1 to 3 above ideally taken simultaneously. There must not be a lengthy delay in the response. That is why planning is essential.

Notifying

In 2018, the Office of the Australian Information Commissioner (OAIC) launched the Notifiable Data Breaches (NDB) scheme. Under the scheme, any organisation or agency covered by the Privacy Act 1988 must notify both the OAIC and affected individuals when a data breach is likely when the personal information of an individual involved is likely to be seriously harmed. The organisations which are required to adhere to the NDB Scheme may include:⁷

• an individual, including a sole trader (though generally, the Privacy Act doesn’t apply to an individual acting in a personal capacity)
• a body corporate
• a partnership
• any other unincorporated association, or
• a trust.

Aftermath of Data Leak

Notwithstanding the expected consequences that follow in the aftermath data breach, including breach of privacy and at times, the monetary loss, entities should take appropriate action to make concerted efforts to compromised individuals. While stakeholders and regulations may also be impacted, the protection of the member should be of utmost importance.

Understandably, members who become the subject of a data breach may be fragile and feel like their trust has been compromised. It is important for entities to use this time following a breach keep members abreast and work to ensure rapport is maintained in a transparent way. It is important to check in, and provide your appropriate responses to them which in turn, will assist with any consequential reputational harm.

Further, the aftermath of a data breach is an opportune time to not only assess how your entity responded, but consider those also affected in the industry and consider what lessons may be learned.

Lavan Comment

The impact of the recent superannuation data breaches on members is twofold in that not only has it put Australian retirees at financial risk with uncertainly as to their retirement funds, but their identity has also been compromised. Further, when a data breach occurs, it is not only the members who are affected, but also the regulators and stakeholders who fall victim in the aftermath.

The data breach serves as a timely reminder of the importance of entities to have measures in place and to be aware of their duties, particularly regarding reporting (both to members and under statute). Further, it serves as a reminder to individuals to be proactive in how they save their personal data and to be wary of using the same credentials over multiple platforms.

If your organisation is concerned about their obligations in the cyber security legal framework or requires advice as to how to respond to a data breach, feel free to contact Iain Freeman, lead Partner in Lavan’s Cyber & Data Protection Team

Thank you to Jayme Stubberfield, Solicitor, for her valuable research and assistance with this article.