In early 2017, the medical records of 31 patients of a Melbourne private hospital were found on a local street.
At the time, the Victorian Health Complaints Commissioner confirmed there was no legal requirement for the patients to be notified, leaving them unaware that highly-sensitive information about their medications, diagnoses, surgeries and mental health conditions had been disclosed so publicly.
This was just one breach among many.
Globally, high-profile breaches have been reported by large internationals like Adobe, Dropbox and Uber. The website breachlevelindex estimates that nearly 10 billion records have been breached since 2013.
In response, the Commonwealth Notifiable Data Breaches scheme, which began in February 2018, has changed the rules here in Australia. The private hospital would now be required not only to let the affected patients know about the breach but also to advise them of any steps they should take.
But just how effective will the new scheme be?
What is the Notifiable Data Breaches scheme?
The Notifiable Data Breaches scheme was introduced into the Commonwealth Privacy Act 1988. The new provisions reflect a trend towards similar schemes around the world, including in most US states and the European Union, but Australia’s attempt is more limited in scope than some.
The scheme applies to Commonwealth government agencies, businesses and non-profit organisations that have an annual turnover in excess of AU$3 million, as well as private sector healthcare providers, credit reporting bodies, credit providers and tax file number recipients. But many organisations are exempt: some small businesses, registered political parties, and state and territory authorities – including public hospitals.
Under the Notifiable Data Breaches scheme, if there is unauthorised access to, disclosure of, or loss of personal information, and this is likely to result in serious harm to a person to whom the information relates, then the organisation that held the information must report the breach to the Australian Information Commissioner as well as notify the person affected.
There are provisions in the Privacy Act to help organisations assess the ‘likelihood of serious harm’ and decide whether they must report the breach. Taking successful remedial action that ameliorates the likelihood of serious harm, like changing access controls on hacked accounts before unauthorised access can occur, in turn, does away with the notification requirement.
So far, so good.
The new law is designed to minimise the harm caused to people when their data is lost or inappropriately accessed, because once they know about it they can act to protect themselves - like cancelling bank cards or changing passwords.
In theory, organisations should be motivated to tighten their security measures to avoid adverse publicity through mandatory disclosure of breaches (backed by fines for non-disclosure). This should have the knock-on effect of making it more difficult for hackers to steal personal data.
But will it work?
The legislation only came into force in February, so it’s too early to say what effects it will have. The Office of the Australian Information Commissioner (OAIC) has certainly been doing its best to draw attention to the new provisions.
However, there seem to be some inherent problems.
First, thanks to Australia’s patchwork of Commonwealth and state privacy laws, many organisations that hold a large amount of sensitive personal data are exempt from the new scheme (like state-based entities), while others are unexpectedly caught by it. So the local naturopath has an obligation to report, while major public hospitals do not. And there’s no sign this issue will be addressed.
Major threats to personal data in Australia lie with state health authorities, which fall outside the scheme. The Victorian Auditor-General’s Office, in a 2016-17 report, identified IT security as the most substantial and long-standing problem facing public hospitals, highlighting the risk of “disgruntled employees or hackers circumventing security processes and stealing or altering hospital financial or patient data”.
This risk was underlined by a recent US survey indicating nearly one in five health employees would be willing to sell confidential data for as little as $500.
Second, the 30-day period companies have to investigate a breach could prevent consumers being able to take rapid steps to secure their data. Similar breach notification requirements in Europe require notification to a supervisory authority within 72 hours (where there is a risk to an individual’s rights and freedoms) and notification to the individual directly without “undue delay” (where there is a high risk to individuals).
Third, the hope that the notification scheme will spur organisations to enhance security may be undermined by ambivalence. Despite the OAIC roadshow promoting the scheme, many businesses remain unaware of the new provisions, unconcerned about the risk of data loss and poorly prepared to protect people’s information.
Penalties for not reporting breaches, in the context of the outsize budgets of major companies and Commonwealth agencies, are relatively light, with fines of up to AU$2.1 million for corporations. Many may see the cost of compliance with the scheme as higher than the penalty – assuming a penalty is even enforced.
At this stage the OAIC has been given no additional budget to police the new provisions. Large corporations may opt to cover up a breach to protect their reputation. The ride-sharing company Uber did just that in 2017, reportedly paying those who hacked the records of 57 million Uber users US$100,000 to delete the data.
The Notifiable Data Breaches scheme is a starting point, but there’s more to be done.
Joined-up laws across all states and territories that reflect the Commonwealth scheme would give people clarity and certainty about what would happen if their data was hacked, and would motivate organisations at all levels to get their security in order.
Stronger penalties and increased funding to the OAIC to enforce the Notifiable Data Breaches scheme could also be options worth considering.
Nearly everyone is vulnerable to their personal information being exposed publicly; keeping one step ahead of breaches has become an essential task of governments and corporations.
Now, at least, unmasking this problem will allow for more effective monitoring and enforcement of breaches in the future.
Banner image: Samuel Zeller/Unsplash