08 December 2021
With the overwhelming amount of material consumers are bombarded with daily, the difficulties of notifying individuals of important information are well known. Notifying an often large number of individuals following a data breach and doing so in a manner they will understand and take any necessary action in response is no less difficult.
This has been highlighted recently by the Service NSW 2020 data breach example. The breach occurred in March and April 2020 and affected some 103,000 individuals. In a Senate Estimates Committee hearing in August 2021, it was reported that some 40 per cent of individuals affected by the breach had yet to confirm they had been notified of the breach by Services NSW. This is despite Service NSW taking steps to deliver the message via registered post so recipients needed to sign for the notification, and working with Transport for NSW to obtain more current addresses.
In this article we look further into the obligation to notify affected individuals of a data breach using the Service NSW example and explore possible ways to cut through notification fatigue.
In 2010, the Australian Law Reform Commission recommended that the Privacy Act should provide for notification to individuals affected by a data breach in order to protect such personal information. The notification itself can protect the exposed personal information from any further exposure or misuse. By arming individuals with the necessary information, they have the opportunity, for example, “to monitor their accounts, take preventative measures such as opening new accounts, and be ready to correct any damage done”. It also encourages organisation to be transparent about their information-handling practices.
It was considered that the obligation to notify should be made mandatory as there was risk that that uncontrolled market may “undersupply notification”. That is, because of the reputational damage to organisations that notification can cause, organisations may not have sufficient incentives to notify customers voluntarily of a data breach.
Mandatory data breach notification laws were introduced into the Privacy Act in 2018. When considering the threshold at which notifications would be required, the Privacy Act asks organisations to make an assessment of whether the breach would give rise to a real risk of serious harm to an individual. This was settled upon partly because a lesser threshold of harm might result in notification fatigue. That is, where individuals receive so many notices of data breaches that it becomes difficult for them to assess which ones carry a serious risk of harm and which ones are minor in nature and consequence. It was also said to reduce the compliance burden on agencies and organisations.
The state and territory-based regimes have not, to date, contained laws around mandatory data breach notification. NSW is set to be the first state or territory to introduce such laws after making the announcement in May 2021. Under the new laws, which will be based on the federal government’s notifiable data breaches scheme, it will be compulsory for NSW government departments, state-owned corporations and local councils to notify people if their records have been compromised. Therefore, the notifications made by Service NSW in the example above were not “mandatory” at the time as such but certainly seemed necessary to prevent or mitigate against further loss or harm to the affected individuals.
Indeed, organisations have for some time before mandatory data breach notification was introduced at a federal level, notified affected individuals (and regulators) of data breaches where individuals could then take steps to avoid any harm. Being aware of a breach would lead to being alert to, and taking steps to prevent, identity theft or becoming victims of scams.
Given the proposed NSW laws will be based on the federal regime, we will base our discussions around mandatory data breach notifications on the Privacy Act.
Broadly, under the Privacy Act:
The guidance provides flexibility to an organisation as to the method and content of the notification and therefore is best not to just approach this notice as a “legal notice”. Privacy breach management should be tasked to a multi-disciplinary team with skills across communications and customer care, as well as legal and compliance experience. The focus of this team should be how to best reach these individuals and advise them in the clearest possible way of what they need to do to protect against further harm that may result.
In the example provided above, in March and April 2020, Service NSW’s email accounts were subject to an attack that resulted in the exposure of 736 GB of data containing the personal information of around 103,000 individuals. The attack prompted the four-month investigation, in which 3.8 million documents were analysed. The cost of the data breach is also now likely to be up to $35 million to remediate, more than five times as much as first estimated.
Reportedly, the data accessed was in the Service NSW systems due to its customers attending branches to lodge paperwork and handing over identification such as medical forms and rental tenancy notices. In order to lodge the documents, Service NSW employees scanned and emailed them to their own (staff) accounts. The criminal phishing attack targeted the employee accounts and the email attachments were compromised.
One Sydney woman reported to The Sydney Morning Herald receiving a letter from Service NSW about the attack after she lodged a rental tenancy application this year. Her concern around the impact of the data breach was around the combination of her information that had been exposed – her passport, bank details, rates notice, date of birth, Medicare card. Of course, the exposed data varied from individual to individual.
Service NSW chose the option of registered mail to notify the affected individuals partly to ensure that each individual was given targeted information regarding the nature of the information that had been potentially exposed (as this varied widely) and to offer the individuals case management support in having various identification re-issued.
In a Senate Budget Committee hearing in August 2021, senior employees of Service NSW were quizzed on why it had been such a difficult task to notify the individuals affected by this breach. Asked how Service NSW would have data of the affected individuals but how that data would not extend to contact details that would enable them to be readily contacted, the response was as follows:
The Committee also heard responses to questions around the learnings from the attack, with Mr Rees explaining: "There has been a huge amount of learnings from that data breach [including in regards to]...the specifics of the system that was compromised, which was our email system via a phishing attack that enabled the contents of our email accounts to be exfiltrated."
The key learnings described by Mr Rees can be summarised as follows:
Effective data breach response is about reducing or removing harm to affected individuals, and notification can only be effective if it is read and understood by the intended recipients. The danger of breach fatigue and the general distaste society has towards anyone that sends us unexpected mail, emails or voice calls or SMS makes this an incredibly difficult task. Organisations are battling an overwhelming complacency.
Perhaps an organisation should approach data breach notification as if it has the world’s best offer for the customer and needs to reach them with this offer. Or in some cases, as if they have the code to disarm a ticking time bomb that will otherwise go off. Communication strategies should be developed that go beyond traditional methods of communication that are mentioned in the guidance.
Whilst an email to the individual might cover off the legal duty to notify, organisations could back this up by introducing pop-up messages when individuals next log into their accounts, or even targeted advertising on social media that alerts individuals to check their email for notice of a breach.
As can be shown in the Service NSW example, publishing a copy of the statement on the organisation’s website and taking other reasonable steps to publicise the statement may result in there being adequate public awareness of a breach, but will not guarantee you can tick off that individual X on your list has been notified in the same way as if they have signed for a registered mail-out.
As reported by Rhodri Marsden, our personal information is frequently being compromised and this is becoming a serious security concern.
Marsden reported that the infographics company, Information Is Beautiful, has been tracking the world’s major data leaks for more than a decade, compiling them into a “balloon race” chart with the balloons representing the size of the breach. Facebook’s recent breach takes centre stage in the chart, and Capital One, Microsoft, Quora, MyFitnessPal, are also very prominent. Even the smallest balloon in the graphic represents close to a million personal records.
Considering a lot of major breaches for lesser-known companies or non-English speaking countries go unreported, the problem is almost overwhelming. Marsden says that the relentless nature of the breaches has led to breach fatigue, and with seemingly comparatively few of us winding up being affected, it has become an uninteresting story with no personal consequences.
In his article on notification fatigue, Mathew J Schwartz quotes Eva Casey Velasquez, then president and CEO of the non-profit Identity Theft Resource Center, who argues that the way to combat the fatigue is not to require organisation to issue less notifications:
"The solution isn’t less information or more secrecy or more autonomy for corporations to decide what they’re going to disclose or not disclose . . . The solution is more access to good, solid information and resources for consumers so they can really understand what this means. You’re always going to be catching people where this is their first exposure, and [so] education and awareness is critical."
According to Schwartz’s article, receiving such an alert may be a consumer’s first encounter with password reuse questions and whether it’s safe to click on links in emails, the need to get a new credit card if they spot signs of fraud on their account.
The prevailing advice from both regulators and industry experts appears to be that combating consumer breach fatigue falls to breached businesses themselves, to issue timely, accurate notifications. In Schwartz’s article, he also refers to the advice of then vice president of data breach resolution at Experian Consumer Services, Michael Bruemmer:
"We always recommend clients wait until the forensics is complete so when the notification and call centers are implemented, the quality of the communication to the consumer is excellent . . . consumers do not like to be told only part of the story and have it come out over multiple communications."
This need to investigate is to be balanced with legal requirements and the possible harm that might be done if an organisation delays notification and an individual continues to be unaware that their personal information has been compromised.
For notifications – and preventing breach fatigue or feelings of anger and helplessness – clarity is also a key factor. “Notifications should be written from the perspective of the consumer,” says Bruemmer, and make clear, and easy, the steps they can take to protect themselves, such as regularly reviewing bank statements or signing up for a credit or ID theft monitoring service. “It is important to apologize, tell them what happened to [their] personal information, and most importantly, clearly state the steps the consumer should take to protect themselves.”
By assembling a team with expertise across a number of areas of the organisation and keeping the focus on protecting the affected individuals from that proverbial ticking time bomb, organisations should manage to comply with their legal, and moral, obligations to notify of data breaches.
Author: Emily Booth
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.