Mandatory Notification: Understanding Your Obligations After a Cyber Attack

What does “mandatory notification” mean within the context of a cyber attack?

Mandatory notification refers to a legal obligation to notify individuals in the event that their personal data may have been compromised as a result of a cyber attack.

Mandatory notification is distinct from:

• Reporting a cyber attack to ASIC, APRA or other regulatorsas part of a company’s existing legal and compliance obligations
• The voluntary reporting of cyber crime incidents, which may be in breach of Australian law to the Australian Cybercrime Online Reporting Network (ACORN)

What are the current requirements in Australia regarding mandatory notification?

Under current legislation, Australia does not impose a “mandatory” obligation on organisations to notify affected parties (such as employees, customers or clients) that a cyber attack has resulted in a security breach or privacy breach which may have compromised their personally identifiable information (PII). However, existing privacy obligations, designed to protect personal information from misuse or loss, means that any cyber attack compromising personal information could result in the involvement of multiple regulators.

Proposed scheme for mandatory data breach notification

In response to the Federal Parliament’s Joint Committee on Intelligence and Security’s inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, a mandatory data breach notification scheme was proposed in March 2015 for implementation by the end of 2015. Although aimed at the telecommunications industry, it appears that such a mandatory data breach notification requirement would also apply to other organisations subject to federal privacy laws.

Domestic and foreign mandatory notification considerations

Following a cyber attack, a crisis management team is usually formed to assist the organisation in determining its obligations to notify affected individuals that their personally identifiable information may have been compromised. The scope of this obligation extends beyond Australia’s borders. The organisation may have global exposures, or its data may be lodged in a cloud outside of Australia. Mandatory notification obligations of both domestic (Australian) and foreign jurisdictions must be considered.  Currently, mandatory notification is required in the United States of America while, closer to home, it is also required in Taiwan, the Philippines and South Korea.

Financial impact of mandatory notification

If it is determined that notification is required (either voluntarily or in accordance with mandatory notification obligations), then costs will be incurred to make those notifications. This may include the costs of notifying affected customers, the costs of setting up a call centre to respond to inquiries or costs associated with good will gestures, as many organisations will accompany their notification to affected individuals with the offer of credit monitoring services.