Retailer obligations: Who is responsible for a data breach?
By Anthony Lieu
In October 2015, major Australian retailer Kmart confirmed that some of its customers’ personal information had been hacked, including their email address, home address and phone number. In response to the hack, Kmart sent out an email to all affected customers to alert them of the incident, and also contacted IT forensic investigators, the Australian Information Commissioner and the Australian Federal Police. The incident then raises the question: when there is an online retailer privacy breach, what are the consequences?
The Australian Privacy Principles (APPs)
The Australian Privacy Principles (APPs) are set out in Schedule 1 of the Privacy Act 1988 (Cth). The APPs set out how most Australian entities must handle, use and manage personal information. These obligations affect government agencies, some small businesses, all private sector and not-for-profit organisations with an annual turnover of more than $3 million as well as all private health service providers.
Under the Privacy Act, all APP entities must comply with the thirteen principles, and an entity will be held in breach if it acts contrary to, or inconsistently with, one of the principles. A breach of the APP will be deemed an interference with privacy and could lead to an investigation by the Australian Information Commissioner. Serious and repeated interferences may potentially lead to civil penalties of up to $1.7 million for corporate entities.
What are the retailer’s legal obligations?
Under the APPs, online retailers have legal obligations to install reasonable security safeguards and take reasonable steps to protect the personal information they hold.
APP 11 states that if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
- From misuse, interference and loss; and
- From unauthorised access, modification or disclosure.
Furthermore, an entity that has collected personal information but no longer needs the information must take reasonable steps to destroy or de-identify the information.
Reasonable security safeguards of personal information may include, but are not limited to, the following:
- Risk assessment
- Privacy impact assessments
- Staff training
- Technological safeguards
- Continuous monitoring and review
- Notification of breach
Taking reasonable steps to prevent data breaches may include, but are not limited to, the following:
- Development of data breach policies and response plans
- Notification of individuals and the Office of the Australian Information Commissioner (OAIC) if the harm is serious.
If a breach has occurred, OAIC encourages entities to:
- Contain the breach – taking all steps possible to stop the breach immediately and conduct a preliminary assessment as to what can be done.
- Evaluate the risks – taking into account the type of information involved, the cause and extent of the breach.
- Prevent future breaches – reviewing prevention plans or implementing one proportionate to the significance of the breach.
Reform to address an online retailer privacy breach
While reporting data breaches is not mandatory at the moment, this may change in the coming year under the Privacy Act. In December 2015, the Australian Government released an exposure draft of a mandatory data breach notification bill – the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 – that will require all APP entities to notify the Federal Privacy Commissioner and individuals of serious data breaches.
The requirement set out in the Bill will not only apply to APP entities but also to foreign companies that deal directly with Australian consumers, or who process personal information on behalf of Australian businesses. The test will be based on whether there are reasonable grounds to believe a serious data breach has occurred. A ‘serious data breach’ will be taken to have occurred if:
- There is unauthorised access/disclosure of the information which will result in real risk of serious harm to the individuals related;
- The information is lost, and it is likely unauthorised access/disclosure of it will occur, which will result in real risk of serious harm to the individuals related;
- The Bill also allows for the government to prescribe specific categories of data to trigger automatically the notification requirement if necessary.
Under current legislation, online retailers have an obligation to take reasonable steps to protect their customers’ personal information, however, as long as they can show they have taken these steps, they are limited in their liability in case of data breach. Changes in privacy reform will likely add a further mandatory requirement of reporting in cases of serious data breaches.
Anthony Lieu is a strategist and lawyer at LegalVision with a strong background in understanding the myriad of legal issues surrounding online businesses.