How should Directors weigh external advice against the obligation to notify customers of data breaches?
Notifiable Data Breaches: GoGet’s Alternate Ending
With “Data Privacy Day” having just passed on 28th January (yes, that’s a thing) and looming changes from the Privacy Amendment (Notifiable Data Breaches) Act 2017 (the Act) set to commence this week, what better time to put some context around your organisation’s privacy principles?
We’ve all had time to digest the amendment since its introduction a year ago. However, if do you need a refresh on the Who-What-When-Where-How, you can find excellent guidance straight from the horse’s mouth at the Office of the Australian Information Commissioner (OAIC).
For now, let’s take a look at the real life story that GoGet so timely gifted.
On 31 January 2018, GoGet informed its customers of a systems breach that it knew about seven months prior. The car sharing service claimed that the hacker was using the company’s vehicles without permission or payment, and through that process gained access to personal data belonging to its customers.
A NSW Cybercrime investigation led to police advising GoGet that there was no evidence that the personal data had been disseminated and, importantly for our discussion, warned against going public with the breach:
In the land of cybercrime – where fairytale endings are uncommon – it would seem that GoGet’s decision to stay silent about the breach until the apprehension of the bad guy made its delayed notice to affected customers land a softer, almost innocuous blow.
But what would happen if you read the exact same story in the setting of life after Notifiable Data Breaches?
What, if anything, would change? Would GoGet be within its rights to withhold the data breach from the OAIC? From its affected customers? What role would the third party’s (NSW police) advice play in determining whether GoGet has behaved in accordance with the Act?
As the conscience of an organisation, how do Directors and Officers weigh external factors and advice against the obligation to notify?
Section 26WQ of the Act provides an alternative to GoGet’s risky plan: apply for an exception from the Commissioner.
Under this provision, the Commissioner may make a declaration that notice is not required if it is satisfied that it is reasonable to do so given the circumstances and with regard to public interest; relevant advice (e.g.: from an enforcement body); and any other relevant matters.
So, was Section 26WQ written for a situation like GoGet’s? The OAIC says this section will only be used in “exceptional” circumstances. Does the kind of advice NSW police provided GoGet amount to “exceptional”?
The OAIC says its first 12 months’ focus will be on “working with entities to ensure that they understand the new requirements and are working in good faith to implement them.”
As Directors and Officers, are you prepared to rely on this statement, coming from an agency which, until now, has not exactly doled out tough punishments – but that now can enforce penalties of up to $2.1 million?
Furthermore, do you want to be the company to test this?