I was chatting to a friend in the water sector last week and we were discussing the increase in data breach events occurring in that sector (and more broadly). We discussed a recent breach incident affecting a number of water utilities and the legal advice they received on notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals. The water sector in Victoria is regulated by the Department of Environment, Land, Water and Planning (or DELWP for short).
In any regulated industry it is critical to involve your regulator as early as possible, as much from a pure compliance perspective but also its just helpful to your relationship with that agency. Industry regulators who come late to the party because an organisation has kept them out of the loop are not well disposed to those organisations either at the time of the incident or moving forward. Good communication even when you do not necessarily know the full extent of a breach builds trust and goodwill. It reduces the incidence of embarrassment by the regulator particularly if the breach becomes public and the regulator is put under pressure to explain their response or respond to ministerial questioning.
However, there is a balance to be struck! Involving your industry regulator at the appropriate time in the event of a breach event is one thing. Sending off a notification to the OAIC without first investigating the breach is another. Unless the breach event needs to be notified quickly, perhaps because it falls within the 72 hour notification obligation under the General Data Protection Regulation (GDPR), it is important to note there is a longer window of 30 days under Australia’s Privacy Act, 1988.
The clock starts ticking from when you suspect an “eligible data breach” may have occurred. An affected entity will typically wish to understand what has happened at least at a preliminary level before it rushes off to notify. The PageUp case is a good example of an exception to this approach as that company had obligations to notify in both Australia and the EU which required it to notify earlier (within the GDPR’s 72 hour obligation).
Whilst the Information Commissioner encourages organisations to undertake the breach assessment more quickly than 30 days as a matter of good practice and to reduce the risk of serious harm occurring to affected individuals, this 30 day period nevertheless allows affected organisations which are perhaps involved in joint ventures or multi-party arrangements the proper opportunity to assess the incident more effectively.
During this time affected organisations may choose a lead entity to take responsibility for coordinating the overall breach response, setting up an incident response team, liaising with DELWP and making the notification to the OAIC (and affected individuals) following appropriate assessment of the incident.
Any approach which jumps the gun poses risk to the parties involved. The OAIC will likely seek further clarification, DELWP will want to know why they were not notified and other industry participants will want to know why they weren’t consulted properly.
With breach events on the rise, it is important to manage and respond to them appropriately. Make sure you properly include industry regulator consultation and notification within your incident response plan. Yes appropriate notification to the OAIC and affected individuals is important but don’t leave your industry regulator out in the cold.