Playing hard to get: What are your notification obligations in the event of a data breach?

With the overwhelming amount of material consumers are bombarded with daily, the difficulties of notifying individuals of important information are well known. Notifying an often large number of individuals following a data breach and doing so in a manner they will understand and take any necessary action in response is no less difficult.

This has been highlighted recently by the Service NSW 2020 data breach example. The breach occurred in March and April 2020 and affected some 103,000 individuals. In a Senate Estimates Committee hearing in August 2021, it was reported that some 40 per cent of individuals affected by the breach had yet to confirm they had been notified of the breach by Services NSW. This is despite Service NSW taking steps to deliver the message via registered post so recipients needed to sign for the notification, and working with Transport for NSW to obtain more current addresses.

In this article we look further into the obligation to notify affected individuals of a data breach using the Service NSW example and explore possible ways to cut through notification fatigue.

Background to data breach notification laws

In 2010, the Australian Law Reform Commission recommended that the Privacy Act should provide for notification to individuals affected by a data breach in order to protect such personal information. The notification itself can protect the exposed personal information from any further exposure or misuse. By arming individuals with the necessary information, they have the opportunity, for example, “to monitor their accounts, take preventative measures such as opening new accounts, and be ready to correct any damage done”. It also encourages organisation to be transparent about their information-handling practices.

It was considered that the obligation to notify should be made mandatory as there was risk that that uncontrolled market may “undersupply notification”. That is, because of the reputational damage to organisations that notification can cause, organisations may not have sufficient incentives to notify customers voluntarily of a data breach.

Mandatory data breach notification laws were introduced into the Privacy Act in 2018. When considering the threshold at which notifications would be required, the Privacy Act asks organisations to make an assessment of whether the breach would give rise to a real risk of serious harm to an individual. This was settled upon partly because a lesser threshold of harm might result in notification fatigue. That is, where individuals receive so many notices of data breaches that it becomes difficult for them to assess which ones carry a serious risk of harm and which ones are minor in nature and consequence. It was also said to reduce the compliance burden on agencies and organisations.

The state and territory-based regimes have not, to date, contained laws around mandatory data breach notification. NSW is set to be the first state or territory to introduce such laws after making the announcement in May 2021. Under the new laws, which will be based on the federal government’s notifiable data breaches scheme, it will be compulsory for NSW government departments, state-owned corporations and local councils to notify people if their records have been compromised. Therefore, the notifications made by Service NSW in the example above were not “mandatory” at the time as such but certainly seemed necessary to prevent or mitigate against further loss or harm to the affected individuals. 

Indeed, organisations have for some time before mandatory data breach notification was introduced at a federal level, notified affected individuals (and regulators) of data breaches where individuals could then take steps to avoid any harm. Being aware of a breach would lead to being alert to, and taking steps to prevent, identity theft or becoming victims of scams.

Overview of obligations

Given the proposed NSW laws will be based on the federal regime, we will base our discussions around mandatory data breach notifications on the Privacy Act.

Broadly, under the Privacy Act:

• entities are required to notify individuals and the OAIC about data breaches that are likely to result in serious harm
• timely assessment and notification are important – this should be as soon as practicable after concluding that an eligible data breach has happened and within the prescribed 30-day period. A delay may be justified and unavoidable if notifying earlier might cause additional harm, such as compromising a criminal investigation, or providing incorrect information as further investigation is needed
• the Act and associated guidance states that the content of the notification must include the identity of the organisation, a clear explanation of the eligible data breach (how did it occur, and when), the types of personal information impacted, as well as recommendations about steps the individuals should take to mitigate any harm, such as changing passwords or cancelling credit cards
• in its 2020 report on notifiable data breaches, the OAIC has reported that it has found some notices it examined during its reporting period to be deficient, including because they did not enable the recipients to understand the risk and provided generic advice. A generic phrase such as your “personal details” may have been exposed is far less helpful than knowing it might be a tax file number or Medicare number, as distinct from an email address, for example. Failing to specify that the unauthorised person to who the information has been exposed is a malicious actor may also cause the recipient to take the notification less seriously
• organisations can satisfy their obligations by providing notice to all individuals who may suffer serious harm, but targeted notices may be more effective as the individuals are likely to take the notice more seriously
• the method of contacting affected individuals is left up to the organisation but must be the organisation's "usual method of notification" (as it relates to those affected individuals). Generally, the more likely it is that the individual may suffer serious harm, the more important it will be to ensure individuals receive and understand the notice. For example, if the organisation knew that an individual’s previously unknown location had been disclosed to an unauthorised third party with a known intent to harm the individual, the organisation would look to take immediate steps to personally alert that individual of the breach. If a large number of individuals had username and passwords compromised, and it was unknown as to whether any of these individuals were particularly vulnerable, a more generic approach might be warranted.

The guidance provides flexibility to an organisation as to the method and content of the notification and therefore is best not to just approach this notice as a “legal notice”. Privacy breach management should be tasked to a multi-disciplinary team with skills across communications and customer care, as well as legal and compliance experience. The focus of this team should be how to best reach these individuals and advise them in the clearest possible way of what they need to do to protect against further harm that may result.

Service NSW breach

In the example provided above, in March and April 2020, Service NSW’s email accounts were subject to an attack that resulted in the exposure of 736 GB of data containing the personal information of around 103,000 individuals. The attack prompted the four-month investigation, in which 3.8 million documents were analysed. The cost of the data breach is also now likely to be up to $35 million to remediate, more than five times as much as first estimated.

Reportedly, the data accessed was in the Service NSW systems due to its customers attending branches to lodge paperwork and handing over identification such as medical forms and rental tenancy notices. In order to lodge the documents, Service NSW employees scanned and emailed them to their own (staff) accounts. The criminal phishing attack targeted the employee accounts and the email attachments were compromised.

One Sydney woman reported to The Sydney Morning Herald receiving a letter from Service NSW about the attack after she lodged a rental tenancy application this year. Her concern around the impact of the data breach was around the combination of her information that had been exposed – her passport, bank details, rates notice, date of birth, Medicare card. Of course, the exposed data varied from individual to individual.

Service NSW chose the option of registered mail to notify the affected individuals partly to ensure that each individual was given targeted information regarding the nature of the information that had been potentially exposed (as this varied widely) and to offer the individuals case management support in having various identification re-issued.

In a Senate Budget Committee hearing in August 2021, senior employees of Service NSW were quizzed on why it had been such a difficult task to notify the individuals affected by this breach. Asked how Service NSW would have data of the affected individuals but how that data would not extend to contact details that would enable them to be readily contacted, the response was as follows:

• unstructured nature of the data extracted: The Chief Executive of Service NSW, Mr Damon Rees, explained that the information that was extracted was from the staff members’ email accounts. It was not from a core system of Service NSW. That meant the information that was extracted was highly unstructured in its nature. It included content within an email, scans of handwritten documents and scan of receipts.
  
  The unstructured nature meant the agency’s ability to extract and correlate that information and recognise that the information that looked like it related to an individual was actually that individual was a very difficult task. It was said the unstructured nature played a heavy role in the quality of the data that was available. Mr Rees explained that if it had been a breach of one of Service NSW core systems, like a customer relationship management system where those types of details are set out in a structured, reliable fashion, the exercise would have been very different
• approach to notification: The second factor that got in the way of readily being able to notify the affected individuals, Mr Rees explained, was the approach that Service NSW took to notification and the guidance it received around that. As explained above, this ultimately resulted in a notification process that saw the affected individuals mailed via post to advise them of the impact to them. In making this notification, Service NSW were provided with very clear guidance not to attempt to contact customers via other means such as email or phone calls for the risk that it creates not just to the impact of customers but to the broader populace if these methods were used as a channel for notification. Of the 103,000 people that Service NSW identified had some level of data impacted in those mailboxes, they were ultimately successfully able to send letters to 63,000 of these individuals over a number of rounds.
  
  The initial notification round was via secure registered mail, where customers needed to sign for their notification. That was designed to minimise the risk of criminals attempting to impersonate Service NSW in that notification process. It also effectively meant that a customer was signing for their own notification. Service NSW saw that as being able to provide a greater level of more personalised advice.
  
  When a number of those registered mails were returned to sender or were sent to invalid addresses, the agency undertook a second round of data matching with Transport for NSW and attempted to re-contact those customers where that letter had been returned to them. The agency then did a final round of notifications for the 18,500 customers that still had not successfully received those letters. These letters were not sent via registered mail or personalised in the way the earlier letters had been.

Learnings from the breach

The Committee also heard responses to questions around the learnings from the attack, with Mr Rees explaining: "There has been a huge amount of learnings from that data breach [including in regards to]...the specifics of the system that was compromised, which was our email system via a phishing attack that enabled the contents of our email accounts to be exfiltrated." 

The key learnings described by Mr Rees can be summarised as follows:

• improving technical controls around the email platform, such as introducing multifactor authentication and limiting the third-party applications that could be used to access email from mobile devices, as an example
• revising information retention, including removal of about 92 per cent of all email from customer-facing mail accounts. This reduces the dependency on email for the transfer of information across all of the business processes and in conjunction with partner agencies
• increased focus on strengthening of the department’s cybersecurity posture
• significant education and awareness component such as mandatory cybersecurity training, regular dialogue across the organisation and regular reinforcement of common things to be aware of and to look out for, making it easier for staff to identify what may be risky, what may be examples of attempted phishing attacks
• an increased focus on cybersecurity, along with risk management, privacy and a range of other things more broadly, which is reflected as one of the pillars of the Service NSW strategy through the organisation. The executive team holds meetings every fortnight on risk, cybersecurity, and privacy-related issues to make sure it maintains that level of focus for the organisation.

A different approach

Effective data breach response is about reducing or removing harm to affected individuals, and notification can only be effective if it is read and understood by the intended recipients. The danger of breach fatigue and the general distaste society has towards anyone that sends us unexpected mail, emails or voice calls or SMS makes this an incredibly difficult task. Organisations are battling an overwhelming complacency.

Perhaps an organisation should approach data breach notification as if it has the world’s best offer for the customer and needs to reach them with this offer. Or in some cases, as if they have the code to disarm a ticking time bomb that will otherwise go off. Communication strategies should be developed that go beyond traditional methods of communication that are mentioned in the guidance.

Whilst an email to the individual might cover off the legal duty to notify, organisations could back this up by introducing pop-up messages when individuals next log into their accounts, or even targeted advertising on social media that alerts individuals to check their email for notice of a breach.

As can be shown in the Service NSW example, publishing a copy of the statement on the organisation’s website and taking other reasonable steps to publicise the statement may result in there being adequate public awareness of a breach, but will not guarantee you can tick off that individual X on your list has been notified in the same way as if they have signed for a registered mail-out.

The fatigue problem

As reported by Rhodri Marsden, our personal information is frequently being compromised and this is becoming a serious security concern.

Marsden reported that the infographics company, Information Is Beautiful, has been tracking the world’s major data leaks for more than a decade, compiling them into a “balloon race” chart with the balloons representing the size of the breach. Facebook’s recent breach takes centre stage in the chart, and Capital One, Microsoft, Quora, MyFitnessPal, are also very prominent. Even the smallest balloon in the graphic represents close to a million personal records.

Considering a lot of major breaches for lesser-known companies or non-English speaking countries go unreported, the problem is almost overwhelming. Marsden says that the relentless nature of the breaches has led to breach fatigue, and with seemingly comparatively few of us winding up being affected, it has become an uninteresting story with no personal consequences. 

In his article on notification fatigue, Mathew J Schwartz quotes Eva Casey Velasquez, then president and CEO of the non-profit Identity Theft Resource Center, who argues that the way to combat the fatigue is not to require organisation to issue less notifications:

"The solution isn’t less information or more secrecy or more autonomy for corporations to decide what they’re going to disclose or not disclose . . . The solution is more access to good, solid information and resources for consumers so they can really understand what this means. You’re always going to be catching people where this is their first exposure, and [so] education and awareness is critical."

According to Schwartz’s article, receiving such an alert may be a consumer’s first encounter with password reuse questions and whether it’s safe to click on links in emails, the need to get a new credit card if they spot signs of fraud on their account.

The prevailing advice from both regulators and industry experts appears to be that combating consumer breach fatigue falls to breached businesses themselves, to issue timely, accurate notifications. In Schwartz’s article, he also refers to the advice of then vice president of data breach resolution at Experian Consumer Services, Michael Bruemmer:

"We always recommend clients wait until the forensics is complete so when the notification and call centers are implemented, the quality of the communication to the consumer is excellent . . . consumers do not like to be told only part of the story and have it come out over multiple communications."

This need to investigate is to be balanced with legal requirements and the possible harm that might be done if an organisation delays notification and an individual continues to be unaware that their personal information has been compromised.

For notifications – and preventing breach fatigue or feelings of anger and helplessness – clarity is also a key factor. “Notifications should be written from the perspective of the consumer,” says Bruemmer, and make clear, and easy, the steps they can take to protect themselves, such as regularly reviewing bank statements or signing up for a credit or ID theft monitoring service. “It is important to apologize, tell them what happened to [their] personal information, and most importantly, clearly state the steps the consumer should take to protect themselves.”

By assembling a team with expertise across a number of areas of the organisation and keeping the focus on protecting the affected individuals from that proverbial ticking time bomb, organisations should manage to comply with their legal, and moral, obligations to notify of data breaches.

Author: Emily Booth

• This article was originally published in the LexisNexis Internet Law Bulletin (volume 24, number 5)

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Emily Booth

Share this