On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill).

Styled as the first set of a raft of incoming reforms, the Bill sets out a range of new enforcement powers, penalties, and changes to the structure of Australia’s privacy regime which may have material impacts on Australian corporate responsibilities. This article outlines the anticipated implications related to cyber incident readiness and response for the Australian market. 

The Regulatory Regime Is Changing

The reforms will provide enhanced powers to the Office of the Australian Information Commissioner (OAIC) to investigate and support organisations responding to cyber incidents. 

These amendments empower the OAIC to take a more enforcement-focused role in the management of privacy related matters. The OAIC will now have enhanced powers to investigate breaches, search for or seize evidence, and undertake public inquiries. Further, the OAIC will also be able to compel a respondent to satisfactorily investigate and mitigate damage in circumstances where loss or damage is reasonably foreseeable. 

This enhancement of the scope and role of the regulator is a further shift towards an enforcement footing. It brings the Australian privacy regime closer to other regions’ regimes, including the EU and State-based regulators in the US where entities have greater obligations in the privacy and security realm, along with the potential of facing significant monetary penalties. 

Style and Substance

Non-compliant or unsatisfactory eligible data breach statements may also soon be under the microscope. A new civil penalty provision has been added for Australian Privacy Principles entities (APP entities) who do not conduct sufficient investigations into eligible data breaches or correctly notify the Information Commissioner in their breach statements and descriptions. 

Increasingly relevant within these statements will be:  

1. A description of the eligible data breach that the entity has reasonable grounds to believe has happened.

2. The particular kind or kinds of information concerned.

3. Recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.

The level of specificity required under the new regime to satisfy obligations remains to be seen. However, the use of this statement (particularly for notification to affected data subjects), suggests it will need to be carefully drafted and informed by relevant data to minimise penalty risk and flow on litigation risk. Modern tools which enable the quick ingestion and assessment of compromised material will be critical to quickly assess the type of information compromised and specific steps to mitigate risk after notification. 

With 200 civil penalty units potentially on the line, collectively in excess of AUD$60,000, and the cost and accuracy of data breach review and notification decreasing, there will be limited avenues to avoid conducting a satisfactory investigation. Similarly, the substantiation needed to avoid notification due to practicality concerns will continue to increase in line with the availability and cost of comprehensive notification services. 

It will be interesting to track the development of this area as changing approaches to the level of detail required and time frames to provide this detail continue to push cyber-readiness and tried-and-tested incident response practices to the fore.  

There Is a Bar, but It Is a High One

One other major inclusion is the proposed introduction of a new cause of action in tort for serious invasions of privacy. The long-awaited tort will provide an avenue for individuals impacted by serious invasions of privacy (such as large-scale cyber incidents) to seek damages. 

Notably, the cause of action sets out a requirement for the serious invasion of privacy to be intentional or reckless. This is a high standard and has been developed through extensive consultation and the assessment of global invasion of privacy regimes. 

While there may be some circumstances where it is conceivable that an invasion of privacy is caused by an intentional act, i.e., an APP entity deliberately releasing records online in a data dump, it is more likely that a cause of action will arise from the recklessness of an entity. This could conceivably be the failure to patch known exploits, the use of unsecure or legacy systems (again, with knowledge of deficiencies), or a myriad of other poor compliance or governance practices.  

It will be interesting to see how recklessness is assessed in these circumstances, such as when IT exploits are identified, communicated, and not patched or when rogue employees within organisations are able to exfiltrate information with minimal oversight. Similarly, large-scale information governance or IT uplift projects that are delayed due to cost or operational concerns but continue to provide the basis for a threat actor to access systems may give rise to an assessment of recklessness. 

Finally, while it may seem to be a lower risk, large organisations who intentionally yet unwittingly misuse information and do not have sufficient controls in place to identify or prevent such an event may also find themselves in hot water. 

In many respects for APP entities, the days of plausible deniability when it comes to information governance and cyber preparedness are seemingly ending. Ultimately, it remains to be seen how punitive the OAIC is in its interpretation and application of these rules, but the new legislation will give them greater power to demand more from APP entities and greater ability to punish them if they deem the entities’ actions insufficient. In light of that, APP entities would be well advised to begin planning for how they will comply with these likely increased requirements.

How Epiq Can Help

Epiq provides both cyber preparedness and cyber incident response solutions to Australian companies seeking to mitigate risk and respond to cyber incidents. 

Partnering with insurers and law firms, Epiq’s technical team can help prepare for, mitigate, and uplift information governance standards to best-practice, and quickly and cost-effectively recover from an incident. This support can be crucial when seeking to adhere to the higher standards that these Privacy Act reforms represent. 

Learn more about Epiq’s cyber preparedness and cyber incident solutions. 

Tom Bennett-Mitrovski is a legal technology specialist and Account Director (Singapore & Australia) at Epiq. Tom co-chairs the Executive Committee of the Law Institute of Victoria's Technology and Innovation Section and sits on two subcommittees: Privacy, Cyber Security and Risk, and AI & Data. Tom also sits on the Law Council of Australia’s Futures Committee. Tom has worked on complex cyber incident response projects, Royal Commissions and Enquiries, large-scale and cross-border litigation matters, arbitrations, internal investigations and other digital forensics projects. Tom is also admitted to the Supreme Court of Victoria and practiced in commercial litigation prior to joining Epiq.