When a data breach involves personal information one matter that needs to be considered is what privacy law requirements apply to the entity's response to the data breach. These requirements can vary depending on what privacy laws apply to the entity and in some cases what information has been compromised.
The privacy law requirements that might apply are those contained in the notifiable data breaches scheme which is contained in the Federal Privacy Act. Under that scheme where an entity covered by the Federal Privacy Act suffers a data breach and a reasonable person would conclude that there is a likely risk of harm to any affected individuals as a result of the data breach then the entity is required to make notifications about the data breach to both the regulator, the Office of the Australian Information Commissioner and affected individuals.
The scheme also includes obligations to conduct an assessment if a data breach is merely suspected or if it's not clear whether a data breach has met the criteria which trigger the notification obligations. The scheme might apply to entities that are not usually covered by the Federal Privacy Act if they suffer a data breach that affects tax file numbers. This could include State based public sector entities and also small business if they are tax file number recipients. A failure to comply with the notifiable data breaches scheme can result in the award of civil penalties of up to $2.1 million.
The purpose of notifying data breaches whether under the notifiable data breaches scheme or under other State based or even international based legislation which protects personal information is to give individuals the opportunity to take steps to reduce the risk of harm that might result from a data breach. This might include changing passwords to online accounts and even just being aware of the possibility of identity fraud. Although the purpose of data breach notification is not to self-report on breaches of general privacy obligations clearly a data breach notification can lead to legal action being taken by an affected individual. For this reason protocol should be set up so that wherever possible written communications about the data breach can be protected by legal professional privilege. This is particularly so for sensitive communications such as a root cause analysis or communications about the adequacy of an entity cyber security system.
When engaging third parties such as IT experts to investigate a data breach entities should consider having their external legal advisers brief the third party to bolster privilege in both the instructions that are given to the third party as well as their report. This is particularly so for serious data breaches.