Privacy Law Changes
We all create and manage data. The business world is swimming in it. The way we manage this data is crucial and how we deal with cyber attacks is now a greater responsibility.
On 19 October 2016, the Minister for Justice described in Parliament the reasons behind the new Privacy Amendment Bill as: receiving notification of the breach can allow that person to take action to protect themselves from harm.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 will only apply to the “personal information” of individuals, but will have significant practical implications for contractual relationships and corporate data security. Consider the following:
1. Notified data breaches may become immediate public news. Not only will the person affected vent their displeasure on social media and via company and media comments pages, but breaches will be reported in the mass media and recorded for perpetuity online;
2. Privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches. See for example in Australia the database maintained by the Privacy Rights Clearinghouse: https://www.privacyrights.org/data-breaches
3. Contractual parties will know about the breach and may be concerned about whether their confidential information has been breached.
The consequences are potentially very serious for a business the subject of cyber breaches. Standard form confidentiality agreements require parties to: notify the other party of any possible or actual breach of confidentiality; take all reasonable steps required to prevent or stop the breach at the Recipient’s request; assist the other party in connection with any action or investigation regarding any possible or actual unauthorised disclosure. Some confidentiality or non-disclosure agreements may also require that the breaching party indemnify the loss caused by the unauthorised disclosure. That could be expensive!
You should conider obtaining cyber-insurance for this very reason. You may cause damage to anotherparty and be held liable for the breach.
Technology and telecommunications contracts now include specific cyber security provisions, requiring immediate notification on becoming aware of any breach or potential breach. Usually this is defined to include the detection of any malicious code or disruption to services. Frequently this is backed up by obligations for suppliers to provide security reports and allow security audits from time to time.
It may be difficult to comply with these obligations immediately after of a data breach, given the system has been compromised. Contractual compliance will require notice to a contractual party as the first response to a data breach.
Managing breaches in a sophisticated way costs time and money which many companies do not have and much of the focus relates to privacy obligations and personal information.
Data breaches will require a co-ordinated B2C and B2B response. The publicity and brand damage associated with the B2C response is a serious matter, but the failure to observe B2B contractual obligations could leave a company facing major litigation (including class actions if enough parties are affected), terminated contracts and a lack of commercial confidence.
Managing the contractual obligations in the public eye should be done with an organisation having a digital risk management plan. Successfully following that plan and being able to manage an effective response to a breach, is the best action to an online record tracking each reported breach.
Responding to contractual parties will require a different plan for response, especially if an insurer is involved. Early notification to that insurer will be critical in the extent of cover.
There is clearly the potential for cyber breaches to cause significant contractual liability. The potential effect of public disclosures and contractual notification should be quantified and a plan put in place.
You should consider getting specific advice about these issues relating to your company and the effect of the new laws.