Clifford Chance

Australian regulators have flagged a continued focus on securing enforcement outcomes for data privacy breaches.

Regulatory scrutiny of privacy and data protection arrangements in Australia continues to increase, with both the Australian Securities and Investments Commission (ASIC) and the Office of the Australian Information Commissioner (OAIC) flagging an emphasis on enforcement for data breaches in addition to education, conciliation and remediation.

In 2020, ASIC commenced landmark proceedings against RI Advice Group Pty Ltd (RI), alleging that RI's failure to have and implement adequate cybersecurity measures breached its obligations under the Corporations Act 2001 (Cth) – the first time that litigation has been initiated by ASIC in respect of deficient cybersecurity practices.

Most recently, National Australia Bank (NAB) faced questioning from the Australian Federal Parliament's Standing Committee on Economics regarding a 2019 data breach that compromised the personal information of over 10,000 customers.

NAB explained that the data breach occurred as a result of human error, whereby data (including government-issued identification numbers) was uploaded to the websites of two data service companies by a NAB employee looking to make use of data ordering tools.

Following the detection of the data breach, NAB took various steps including:

• notifying and working with industry regulators, including the OAIC;
• offering to cover the costs of independent fraud detection services and the reissuance of government documents for impacted customers, which resulted in a total of $686,878 being paid to impacted customers;
• engaging independent cyber-intelligence consultants to investigate the two websites, which were ultimately not found to be associated with data harvesting, cyber hacking or other nefarious activity;
• uplifting its technical controls (which NAB acknowledged were insufficient at the time of the data breach) to prevent similar transfers of data to unauthorised recipients occurring in the future; and
• terminating the employment of the employee who uploaded the data to the websites in breach of their training and NAB's policies.

Data breaches attributed to human error have since continued to increase according to the OAIC's latest Notifiable Data Breaches Report published earlier this year. The report identified that data breaches resulting from human error accounted for 38% of all data breach notifications for the period of 1 July to 31 December 2020, an increase of 18% from the previous six months.

In a media release regarding the OAIC's Report, Australian Information Commissioner and Privacy Commissioner Angelene Falk said that entities are expected to improve the security of personal information they hold to prevent data breaches and have systems in place to report breaches in accordance with the Notifiable Data Breach Scheme (Scheme), given that the Scheme has now been in operation for three years.

Commissioner Falk cautioned that compliance with the Scheme would be subject to close monitoring and that regulatory action would be prioritised where there are significant failings.

These recent developments reinforce the need for organisations to take appropriate steps to prevent data breaches from occurring (whether as a result of malicious attacks, human error or system faults) as well as to prepare for and respond to data breaches in line with their legislative obligations.