Recent high-profile cyber attacks have demonstrated the potential for businesses to be faced with the difficult dilemma of whether or not to pay a ransom if they fall victim to a cyber attack. When personal information has been compromised, striking an agreement with a cyber pirate might be successful in preventing serious harm to affected individuals.
Under Australia's new mandatory data breach notification scheme, the obligation to notify an "eligible data breach" to the Office of the Australian Information Commissioner (OAIC) and potentially affected individuals will not arise if an entity is able to take remedial action before any serious harm is caused by the breach.
Will paying a ransom to a cyber pirate constitute sufficient remedial action to relieve an entity of an obligation to notify the breach to the OAIC and affected individuals?
Australia's new mandatory data breach notification scheme
From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. The purpose of the scheme is to ensure that individuals can take remedial steps if their personal information is compromised.
Entities subject to the Privacy Act will be required to notify data breaches to both the OAIC and individuals who are likely to be at risk of serious harm by the data breach. The notification obligation only applies to "eligible data breaches". These are data breaches which are likely to result in serious harm to any individual to whom the information relates.
Exception - remedial action
The new scheme encourages entities to be proactive in taking steps to address data breaches, by providing an exception to the notification obligation where an entity takes remedial action before serious harm is caused by the breach.
This exception will apply if:
- the entity takes action in relation to a data breach before it results in serious harm to any of the affected individuals; and
- as a result of the action, a reasonable person would conclude that the data breach would not be likely to result in serious harm to any of those individuals.
If these elements are satisfied, an entity is not required to notify the data breach to the OAIC or affected individuals.
How will dealings with cyber pirates play out?
The OAIC has published draft guidance on the new scheme which contains examples of remedial action that may prevent serious harm. One such example is where an email is sent to an incorrect recipient, and the sender contacts the recipient and requests that they permanently delete the file.
Arguably striking a deal with a cyber pirate is similar to this - you make contact with the hackers, pay a ransom, and request them to permanently destroy the personal information they stole.
However, it is questionable whether this action would satisfy the second requirement of the exception - that is, as a result of the remedial action, a reasonable person would be satisfied that the data breach would not be likely to result in serious harm to the affected individuals. While an entity might argue that obtaining assurances from hackers that stolen data has been deleted is enough to alleviate any risk of harm to the affected individuals, a reasonable person might not agree.
But what if an entity obtains satisfactory proof that the stolen data was not used and has now been deleted? Arguably this would satisfy the second requirement of the exception and therefore relieve an entity of its obligation to notify the OAIC and affected individuals.
Where to now?
While paying a cyber pirate's ransom may not be what the legislators had in mind, it does demonstrate the value of being proactive in taking positive steps to address data breaches. In particular, entities should be getting ready for the new mandatory data breach notification scheme by putting in place response plans which will enable them to contain, assess and respond to data breaches in a timely fashion. This will help entities mitigate potential harm to affected individuals if they suffer a data breach, and potentially avoid the need to notify the OAIC and affected individuals. Entities should keep in mind, however, that they may still have reporting obligations under other laws if they fall victim to a cyber attack.