Security Market Segment LS
Friday, 16 February 2018 09:39

Data breach law will change status quo, says practitioner Featured


A Melbourne-based lawyer and business adviser says the new data breach notification law will not be the only one working to potentially internalise the costs of a breach.

"There are also obligations arising under contract, duty of care, trade secret and confidentiality, and potentially the Australian Consumer Law as well," Joel Vernon told iTWire in response to the views expressed recently in these columns by cyber security consultant Phil Kernick.

The Australian data breach law takes effect on 22 February. Kernick had expressed the view that the law would be among the weakest in the world and that it was unlikely to impose any pressure on businesses to change the way they protect personal data at the moment.

Vernon's view differed. He said the obligations listed above, when coupled with the potential for sufficiently-motivated and resourced plaintiffs to commence group or class action proceedings, would make cost internalisation fairly apparent.

"APP (Australian Privacy Principle) entities are also not necessarily out of the woods if they either reach a 'no harm' assessment or provide the notification. There may still be grounds for a complaint or a Commissioner’s own-motion investigation, in addition to other remedies under these other legal obligations."

He noted that fhe fines (or, rather, civil penalties) were up to $420,000 and $2.1 million for non-body-corporates and body corporates respectively. "Failure to comply with the notification regime is not the only potential liability under the Privacy Act – others are also in play," he added.

Vernon, who is a lawyer by trade but now more of a business adviser, has a background in IT as well, having worked for both Primus and Telstra.

He said it was not the case that only organisations with $3 million in revenue were covered by the law, with the relevant calculation being annual turnover.

"There are a range of other entities which are within the jurisdiction of the Privacy Act even if they do not reach this monetary threshold (such as health service providers, credit reporting bodies, and contracted service providers under a Commonwealth contract (even if not privy to the contract))," he pointed out.

"In other words, the obligations are of far wider significance and cover a range of otherwise quite small businesses which need to think very carefully about their operations and processes and whether they are complying with the Privacy Act now and additionally from 22 February."

Vernon said the solution proposed by Kernick — requiring all entities to simply report all breaches and shift the harm assessment to the Privacy Commissioner — did not change the cost dynamic.

"There is a cost either way. Entities bear the cost of notification (which may be marginal) or they bear the cost of the harm assessment," he said.

"Shifting the harm assessment from the entity to the Commissioner, in fact, externalises the cost from the entity and shifts it back to the community. Such an approach does even less for cost internalisation, if that is the policy goal."

He said he agreed with the views expressed in these columns by Helaine Leggat, director of Melbourne firm Information Legal, a few days ago.

"The Privacy Act is legislation informed by and motivated by Australia being a signatory to the International Covenant on Civil and Political Rights. In an ideal world, privacy (and security) shouldn't depend on legislation but should be an inherent part of the social contract. We collectively undervalue our privacy (and our personal information) and willingly trade that to others who value it more in exchange for convenience or features.

"The Privacy Act is an attempt to narrow this value relativity. There is plenty to be done in this space, even outside the notification regime, and I fully agree with Helaine when she says 'smaller businesses do not know what is required, and if they do, they have little idea of what to do. Even big organisations are struggling'. I can attest to that from my own experience."

Vernon said that both business and government should be grateful for the chance to demonstrate a commitment to privacy and security by, for example, having breach response plans in place.

He added: "This is not to say this is the only thing they need to do to ensure compliance with the Privacy Act – there are many front-end obligations they need to be aware of, and for organisations outside the scope of the Privacy Act, there will be other arrangements and obligations that also need to be considered."

Subscribe to Newsletter here


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Channel News




Guest Opinion